Masking the GLP Lattice-Based Signature Scheme at Any Order

Gilles Barthe1, Sonia Bela¨ıd2, ‘omas Espitau3, Pierre-Alain Fouque4, Benjamin Gregoire´ 5, Melissa´ Rossi6,7, and Mehdi Tibouchi8

1 IMDEA So‰ware Institute [email protected] 2 CryptoExperts [email protected] 3 Sorbonne Universite,´ Laboratoire d’informatique de Paris VI [email protected] 4 Universite´ de Rennes [email protected] 5 Inria Sophia Antipolis [email protected] 6 ‘ales 7 Ecole´ Normale Superieure´ de Paris, Departement´ d’informatique, CNRS, PSL Research University, INRIA [email protected] 8 NTT Secure Platform Laboratories [email protected]

Abstract. Recently, numerous physical a‹acks have been demonstrated against la‹ice- based schemes, o‰en exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those a‹acks is an important problem. However, few counter- measures have been proposed so far. In particular, masking has been applied to the decryp- tion procedure of some la‹ice-based encryption schemes, but the much more dicult case of signatures (which are highly non-linear and typically involve randomness) has not been considered until now. In this paper, we describe the €rst masked implementation of a la‹ice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived prob- ability distribution would be prohibitively inecient, we focus on the GLP scheme of Guneysu,¨ Lyubashevsky and Poppelmann¨ (CHES 2012). We show how to provably mask it in the Ishai–Sahai–Wagner model (CRYPTO 2003) at any order in a relatively ecient man- ner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. Our proof relies on a mild generalization of probing security that supports the notion of public outputs. We also provide a proof-of-concept implementation to assess the eciency of the proposed countermeasure.

Keywords: Side-channel, Masking, GLP la‹ice-based signature 1 Introduction

As the demands for practical implementations of postquantum cryptographic schemes get more pressing ahead of the NIST postquantum competition and in view of the recommendations of various agencies, understanding the security of those schemes against physical a‹acks is of paramount importance. La‹ice-based cryptography, in particular, is an a‹ractive option in the postquantum se‹ing, as it allows to design postquantum implementations of a wide range of primitives with strong security guarantees and a level of eciency comparable to currently de- ployed RSA and elliptic curve-based schemes. However, it poses new sets of challenges as far as side-channels and other physical a‹acks are concerned. In particular, the reliance on Gaussian distributions, rejection sampling or the number-theoretic transform for polynomial multiplica- tion have been shown to open the door to new types of physical a‹acks for which it is not always easy to propose ecient countermeasures. ‘e issue has in particular been laid bare in a number of recent works for the case of la‹ice- based signature schemes. La‹ice-based signature in the random oracle model can be roughly di- vided into two families: on the one hand, constructions following Lyubashevsky’s “Fiat–Shamir with aborts” paradigm [25], and on the other hand, hash-and-sign signatures relying on la‹ice trapdoors, as introduced by Gentry, Peikert and Vaikuntanathan [21]. A‹empts have been made to implement schemes from both families, but Fiat–Shamir signatures are more common (al- though their postquantum security is admi‹edly not as well grounded). ‘e underlying frame- work is called Fiat–Shamir with aborts because, unlike RSA and discrete logarithm-based con- structions, la‹ice-based constructions involve sampling from sets that do not admit a nice al- gebraic structure. A na¨ıve sampling algorithm would leak partial key information, in much the same way as it did in early heuristic schemes like GGH and NTRUSign; this is avoided by forc- ing the output signature to be independent of the secret key using rejection sampling. Many instantiations of the framework have been proposed [25,26,23,17,29], some of them quite e- cient: for example, the BLISS signature scheme [17] boasts performance and key and signature sizes roughly comparable to RSA and ECDSA signatures. However, the picture becomes less rosy once physical a‹acks are taken into account. For instance, Groot Bruinderink et al. [8] demonstrated a cache a‹ack targe‹ing the Gaussian sam- pling of the randomness used in BLISS signatures, which recovers the entire secret key from the side-channel leakage of a few thousand signature generations. Fault a‹acks have also been demonstrated on all kinds of la‹ice-based signatures [19,7]. In particular, Espitau et al. recover the full BLISS secret key using a single fault on the generation of the randomness (and present a similarly ecient a‹ack on GPV-style signatures). More recently, ACM CCS 2017 has featured several papers [20,28] exposing further side-channel a‹acks on BLISS, its variant BLISS–B, and their implementation in the strongSwan VPN so‰ware. ‘ey are based on a range of di‚erent side channels (cache a‹acks, simple and correlation electromagnetic analysis, branch tracing, etc.), and some of them target new parts of the signature generation algorithm, such as the rejection sampling. In order to protect against a‹ack such as these, one would like to apply powerful counter- measures like masking. However, doing so eciently on a scheme like BLISS seems hard, as discussed in [20]. Indeed, the sampling of the Gaussian randomness in BLISS signature gener- ation involves either very large lookup tables, which are expensive to mask eciently, or iter- ative approaches that are hard to even implement in constant time–let alone mask. Similarly, the rejection sampling step involves transcendental functions of the secret data that have to be computed to high precision; doing so in masked form seems daunting.

2 However, there exist other la‹ice-based signatures that appear to support side-channel coun- termeasures like masking in a more natural way, because they entirely avoid Gaussians and other contrived distributions. Both the sampling of the randomness and the rejection sampling of signatures target uniform distributions in contiguous intervals. Examples of such schemes include the GLP scheme of Guneysu,¨ Lyubashevsky and Poppelmann¨ [23], which can be seen as the ancestor of BLISS, and later variants like the Dilithium scheme of Ducas et al. [18] (but not Dilithium-G). In this paper, we show how to eciently mask the GLP scheme at any masking order, so as to achieve security against power analysis and related a‹acks (both simple power analysis and higher-order a‹acks like di‚erential/correlation power analysis). ‘is is to the best of our knowledge the €rst time a masking countermeasure has been applied to protect la‹ice-based signatures.

Related work. Masking is a well-known technique introduced by Chari, Rao and Rohatgi at CHES 2002 [9] and essentially consists in spli‹ing a secret value into d + 1 ones (d is thus the masking order), using a secret sharing scheme. ‘is will force the adversary to read many in- ternal variables if he wants to recover the secret value, and he will gain no information if he observes fewer than d values. ‘e advantage of this spli‹ing is that linear operations cost noth- ing, but the downside is that non-linear operations (such as the AES S-box) can become quite expensive. Later, Ishai, Sahai and Wagner [24] developed a technique to prove the security of masking schemes in the threshold probing model (ISW), in which the adversary can read o‚ at most d wires in a circuit. Recently, Duc, Dziembowski and Faust [16] proved the equivalence between this threshold model and the more realistic noisy model, in which the adversary ac- quires leakage on all variables, but that leakage is perturbed with some noise distribution, as is the case in practical side-channel a‹acks. Since the ISW model is much more convenient for designing and proving masking countermeasures, it is thus preferred, as the equivalence results of Duc et al. ultimately ensure that a secure implementation in the ISW model at a suciently high masking order is going to be secure against practical side-channel a‹acks up to a given signal-to-noise ratio. Masking has been applied to la‹ice-based encryption schemes before [31,30]. However, in these schemes, only the decryption procedure needs to be protected, and it usually boils down to computing a scalar product between the secret key and the ciphertext (which is a linear operation in the secret data) followed by a comparison (which is non-linear, but not very dicult to mask). Oder et al. [27] point out a number of issues with those masked decryption algorithms, and describe another one, for a CCA2-secure version of Ring-LWE public-key encryption.

Our results. Masking la‹ice-based signatures, even in the comparatively simple case of GLP, turns out to be surprisingly dicult—possibly more so than any of the previous masking coun- termeasures considered so far in the literature. ‘e probabilistic nature of signature generation, as well as its reliance on rejection sampling, present challenges (both in terms of design and of proof techniques) that had not occurred in earlier schemes, most of them deterministic. In addi- tion, for performance reasons, we are led to require a stronger security property of the original, unprotected signature scheme itself, which we have to establish separately. More precisely, the following issues arise.

Conversion between Boolean and mod-p arithmetic masking. Most steps of the signing algorithm n involve linear operations on polynomials in the ring R = Zp[x]/(x + 1). ‘ey can thus be

3 masked very cheaply using mod-p arithmetic masking: each coecient is represented as a sum of d + 1 additive shares modulo p. For some operations, however, this representation is less convenient. ‘is is in particular the case for the generation of the randomness at the beginning of the algorithm, which consists of two polynomials y1, y2 with uniformly random coecients in a subinterval [−k, k] of Zp. Generating such a random value in masked form is relatively easy with Boolean masking, but seems hard to do eciently with arithmetic masking. ‘erefore, we have to carry out a conversion from Boolean masking to mod-p arithmetic masking. Such conversions have been described before [15,13], but only when the modulus p was a power of 2. Adapting them to our se‹ings requires some tweaks. Similarly, the rejection sampling step amounts to checking whether the polynomials in the signature have their coecients in another interval [−k0, k0]. Carrying out the corresponding comparison is again more convenient with Boolean masking, and hence we need a conversion algorithm in the other direction, from mod-p arithmetic masking to Boolean masking. We are again led to adapt earlier works on arithmetic-to-Boolean masking conversion [15,14] to the case of a non-prime modulus.

Security of the signature scheme when revealing the “commitment” value. One of the operations in signature generation is the computation of a hash function mapping to polynomials in R of a very special shape. Masking the computation of this hash function would be highly inecient and dicult to combine with the rest of the algorithm. Indeed, the issue with hashing is not obtaining a masked bit string (which could be done with something like SHA-3), but expanding that bit string into a random-looking polynomial c of €xed, low Hamming weight in masked form. ‘e corresponding operation is really hard to write down as a circuit. Moreover, even if that could be done, it would be terrible for performances because subsequent multiplications by c are no longer products by a known sparse constant, but full-blown ring operations that have to be fully masked. But more importantly, this masking should intuitively be unnecessary. Indeed, when we see the signature scheme as the conversion of an identi€cation protocol under the Fiat–Shamir transform, the hash function computation corresponds to the veri€er’s sampling of a random challenge c a‰er it receives the commitment value r from the prover. In particular, the veri€er always learns the commitment value r (corresponding to the input of the hash function), so if the identi€cation protocol is “secure”, one should always be able to reveal this value without compromising security. But the security of the signature scheme only o‚ers weak guarantees on the security of the underlying identi€cation protocol, as discussed by Abdalla et al. [1]. In usual Fiat–Shamir signatures, this is never an issue because the commitment value can always be publicly derived from the signature (as it is necessary for signature veri€cation). How- ever, things are more subtle in the Fiat–Shamir with aborts paradigm, since the value r is not normally revealed in executions of the signing algorithm that do not pass the rejection sampling step. In our se‹ing, though, we would like to unmask the value to compute the hash function in all cases, before knowing whether the rejection sampling step will be successful. If we do so, the side-channel a‹acker can thus learn the pair (r, c) corresponding to rejected executions as well, and this is not covered by the original security proof, nor does security with this additional leakage look reducible to the original security assumption. However, it is heuristically a hard problem to distinguish those pairs from uniform (an LWE- like problem with a rather unusual distribution), so one possible approach, which requires no change at all to the algorithm itself, is to redo the security proof with an additional, ad hoc

4 hardness assumption. ‘is is the main approach that we suggest in this paper. Although heuris- tically safe, it is rather unsatisfactory from a theoretical standpoint, so we additionally propose another approach:9 compute the hash function not in terms of r itself, but of f(r) where f is a statistically-hiding commitment scheme whose opening information is added to actual signa- tures, but not revealed in executions of the algorithm that do not pass the rejection sampling. Using a suitable f, f(r) can be eciently computed in masked form, and only the result needs to be unmasked. It is then clear that the leakage of f(r), c
is innocuous, and the modi€ed scheme can be proved entirely with no additional hardness assumption. ‘e downside of this approach is of course that the commitment key increases the size of the public key, the opening information increases the size of signatures, and the masked computation of the commitment itself takes a not insigni€cant amount of time. For practical purposes, we therefore recommend the heuristic approach.

Security of masking schemes with output-dependent probes. In order to prove the security of our masked implementation we see that we reveal some public value r or a commitment of it. Consequently, we must adapt the notion of security from the threshold probing model to account for public outputs; the idea here is not to state that public outputs do not leak relevant information, but rather that the masked implementation does not leak more information than the one that is released through public outputs. We capture this intuition by le‹ing the simulator depend on the distribution of the public outputs. ‘is extends the usual “non-interference” (NI) security notion to a new, more general notion of “non-interference with public outputs” (NIo).

Security proofs. ‘e overall security guarantee for the masked implementation is established by proving the security of individual gadgets and asserting the security of their combination. For some gadgets, one establishes security in the usual threshold probing model, opening the pos- sibility to resort to automated tools such as maskComp [4] to generate provably secure masked implementations. For other gadgets, the proofs of security are given by exhibiting a simulator, and checking its correctness manually. Finally, the main theorem is deduced from the proof of correctness and security in the threshold probing model with public outputs for the masked implementation, and from a modi€ed proof of security for the GLP scheme.

Organization of the paper. In §2, we describe the GLP signature scheme and the security assumption on which its security is based. In §3, we present the new security notions used in our proofs. ‘en, in §4, we describe how to mask the GLP algorithm at any masking order. Finally, in §5, we describe an implementation of this masking countermeasure, and suggest some possible eciency improvements.

2 ‡e GLP signature scheme

2.1 Parameters and security Notations. ‘roughout this paper, we will use the following notations: n is a power of 2, p is a prime number congruent to 1 modulo 2n, R is the polynomial ring modulo xn + 1, n R = Zp[x]/(x + 1). ‘e elements of R can be represented by polynomials of degree n − 1 p−1 p−1 with coecients in the range [− 2 , 2 ]. For an integer k such that 0 < k ≤ (p − 1)/2, we 9 We are indebted to Vadim Lyubashevsky for suggesting this approach.

5 $ denote by Rk the elements of R with coecients in the range [−k, k]. We write ←− S for picking $ uniformly at random in a set S or ←−D for picking according to some distribution D. ‘e key generation algorithm for the GLP signature scheme is as follows:

Algorithm 1: GLP key derivation Result: Signing key sk, veri€cation key pk $ 1 s1, s2 ←−R1 //s1 and s2 have coecients in {−1, 0, 1} $ 2 a ←−R 3 t ← as1 + s2 4 sk ← (s1, s2) 5 pk ← (a, t) Given the veri€cation key pk = (a, t), if an a‹acker can derive the signing key, he can be used to also solve a DCKp,n problem de€ned in [23].

De€nition 1 Œe DCKp,n problem (Decisional Compact Knapsack problem) is the problem of distinguishing between the uniform distribution over R×R and the distribution (a, as1 +s2) with s1,s2 uniformly random in R1.

In the security proof of our variant of the signature scheme, we introduce a new computa- tional problem.

De€nition 2 Œe R-DCKp,n problem (Rejected-Decisional Compact Knapsack problem) is the n problem of distinguishing between the uniform distribution over R × R × Dα and the distribution n 2 (a, ay1 + y2, c) where (a, c, y1, y2) is uniformly sampled in R × Dα × Rk, conditioned by the event s1c + y1 ∈/ Rk−α or s2c + y2 ∈/ Rk−α.

As shown in Appendix A.3, assuming the hardness of R-DCKp,n can be avoided entirely by computing the hash value c not in terms of r = ay1 + y2, but of a statistically hiding commitment thereof. ‘is approach shows that masking can be done based on the exact same assumptions as the original scheme, but at some non-negligible cost in eciency. To obtain a scheme that more directly follows the original one and to keep the overhead reasonable, we propose to use R-DCKp,n as an extra assumption, which we view as a prag- matic compromise. ‘e assumption is admi‹edly somewhat arti€cial, but the same can be said of DCKp,n itself to begin with, and heuristically, R-DCKp,n is similar, except that it removes smaller (hence “easier”) instances from the distribution: one expects that this makes distinguish- ing harder, even though one cannot really write down a reduction to formalize that intuition.

2.2 ‡e signature scheme ‘is part describes the signature scheme introduced in [23]. Additional functions like transform and compress introduced in [23] can be used to shorten the size of the signatures. Note however that for masking purposes, we only need to consider the original, non-compressed algorithm of Guneysu¨ et al., which we describe below. Indeed, signature compression does not a‚ect our masking technique at all, because it only involves unmasked parts of the signature generation algorithm (the input of the hash function and the returned signature itself). As a result, although this paper only discusses the non-compressed scheme, we can directly apply our technique to

6 the compressed GLP scheme with no change, and in fact this is what our proof-of-concept im- plementation in section5 actually does. ∗ n ‘e signature scheme needs a particular cryptographic hash function, H : {0, 1} → Dα, n where Dα is the set of polynomials in R that have all zero coecients except for at most α = 32 coecients that are in {−1, +1} (or α = 16 when using the updated parameters presented in [10]). Let k be a security parameter. Algorithms2 and3 respectively describe the GLP signature and veri€cation. Here is the soundness equation for the veri€cation : az1 + z2 − tc = ay1 + y2.

‘e parameter k controls the trade-o‚ between the security and the runtime of the scheme. ‘e smaller k gets, the more secure the scheme becomes and the shorter the signatures get but the time to sign will increase. ‘e authors of the implementation of [23] suggest k = 214, n = 512 and p = 8383489 for ≈ 100 bits of security and k = 215, n = 1024 and p = 16760833 for > 256 bits of security.

2.3 Security proof of the r-GLP variant As mentioned above, masking the hash function of the GLP signature directly has a prohibitive cost, and it is thus preferable to unmask the input r = ay1 + y2 to compute the hash value c = H(r, m). Doing so allows a side-channel a‹acker to learn the pair (r, c) corresponding to rejected executions as well, and since that additional information is not available to the adver- sary in the original se‹ing, we need to show that it does not a‚ect the security of the scheme. ‘is stronger security requirement can be modeled as the unforgeability under chosen mes- sage a‹acks of a modi€ed version of the GLP signature scheme in which the pair (r, c) is made public when a rejection occurs. We call this modi€ed scheme r-GLP, and describe it as Algo- rithm4. ‘e modi€cation means that, in the EUF-CMA security game, the adversary gets access not only to correctly generated GLP signatures, but also to pairs (r, c) when rejection occurs, which is exactly the se‹ing that arises as a result of unmasking the value r. ‘e following the- orem, proved in the Appendix A.2, states that the modi€ed scheme is indeed secure, at least if we are willing to assume the hardness of the additional DCKp,n assumption.

n ‡eorem 1. Let n, p, R and Dα as de€ned in section 2.1. Assuming the hardness of the DCKp,n and R-DCKp,n problems, the signature r-GLP is EUF-CMA secure in the random oracle model.

Algorithm 2: GLP signature Algorithm 3: GLP veri€cation Data: m, pk, sk Data: m, σ, pk Result: Signature σ 1 if z1, z2 ∈ Rk−α and $ c = H(az + z − tc, m) 1 y1, y2 ←−Rk 1 2 then 2 accept 2 c ← H(r = ay1 + y2, m) 3 3 z1 ← s1c + y1 else 4 reject 4 z2 ← s2c + y2 5 5 if z1 or z2 ∈/ Rk−α then end 6 restart 7 end 8 return σ = (z1, z2, c)

7 Algorithm 4: Tweaked signature with public r Data: m, pk = (a, t), sk = (s1, s2) Result: Signature σ $ 1 y1 ←−Rk $ 2 y2 ←−Rk 3 r ← ay1 + y2 4 c ← H(r, m) 5 z1 ← s1c + y1 6 z2 ← s2c + y2 7 if z1 or z2 ∈/ Rk−α then 8 (z1, z2) ← (⊥, ⊥) 9 end 10 return σ = (z1, z2, c, r)

Remark 1. As mentioned previously, we can avoid the non-standard assumption R-DCKp,n by hashing not r but f(r) for some statistically hiding commitment f (which can itself be con- structed under DCKp,n, or standard la‹ice assumptions). See the Appendix A.2 of this paper for details . ‘e downside of that approach is that it has a non negligible overhead in terms of key size, signature size, and to a lesser extent signature generation time.

3 ‡reshold probing model with public outputs

In this section, we brieƒy review the de€nition of the threshold probing model, and introduce an extension to accommodate public outputs.

3.1 ‡reshold probing model ‘e threshold probing model introduced by Ishai, Sahai and Wagner considers implementations that operate over shared values [24]. De€nition 3 Let d be a masking order. A shared value is a (d + 1)-tuple of values, typically integers or Booleans. A (u, v)-gadget is a probabilistic algorithm that takes as inputs u shared values, and returns distributions over v-tuples of shared values. (u, v)-gadgets are typically used to implement functions that take u inputs and produce v outputs. Gadgets are typically wri‹en in pseudo-code, and induce a mapping from u-tuples of shared val- ues (or equivalently u(d + 1)-tuples of values) to a distribution over v-tuples of values, where the output tuple represents the joint distribution of the output shared values as well as all inter- mediate values computed during the execution of the gadget. We now turn to the de€nition of probing security. Informally, an implementation is d-probing secure if and only if an adversary that can observe at most d intermediate values cannot recover information on secret inputs. De€nition 4 d-non-interference (d-NI): A gadget is d-non-interfering if and only if every set of at most d intermediate variables can be perfectly simulated with at most d shares of each input.

8 De€nition 5 d-strong-non-interference (d-SNI): A gadget is d-strongly non interfering if and only if every set of size d0 ≤ d containing d1 intermediate variables and d2 = d0 − d1 returned values can be perfectly simulated with at most d1 shares of each input.

‘is notion of security is formulated in a simulation-based style. It is however possible to pro- vide an equivalent notion as an information ƒow property in the style of programming language security and recent work on formal methods for proving security of masked implementations.

‡e maskComp tool. For certain composition proofs, we will use the maskComp tool from Barthe et al. [4]. It uses a type-based information ƒow analysis with cardinality constraints and ensures that the composition of gadgets is d-NI secure at arbitrary orders, by inserting refresh gadgets when required.

3.2 ‡reshold probing model with public outputs

‘e security analysis of our masked implementation of GLP requires an adaptation of the stan- dard notion of security in the threshold probing model. Speci€cally, our implementation does not a‹empt to mask the computation of H(r, m) at line 2 of Algorithm2; instead, it recovers r from its shares and then computes H(r, m). ‘is optimization is important for the eciency of the masked algorithm, in particular because it is not immediately clear whether one can mask the hash function H eciently—note that this kind of optimization is also reminiscent of the method used to achieve ecient sorting algorithms in multi-party computations. From a security perspective, recombining r in the algorithm is equivalent to making r a public output. In contrast with “return values”, we will refer to “outputs” as values broadcast on a public channel during the execution of the masked algorithm. ‘e side-channel a‹acker can therefore use outputs in a‹acks. Since the usual notions of NI and SNI security do not account for outputs in that sense, we need to extend those notions of security to support algorithms that provide such outputs. ‘e idea here is not to state that public outputs do not leak relevant information, but rather that the masked implementation does not leak more information than the one that is released through public outputs. We capture this intuition by le‹ing the simulator depend on the distribution of the public outputs.

De€nition 6 A gadget with public outputs is a gadget together with a distinguished subset of intermediate variables whose values are broadcast during execution.

We now turn to the de€nition of probing security for gadgets with public outputs.

De€nition 7 d-non-interference for gadgets with public outputs(d-NIo): A gadget with public outputs X is d-NIo if and only if every set of at most d intermediate variables can be perfectly simulated with the public outputs and at most d shares of each input.

Again, it is possible to provide an equivalent notion as an information ƒow property in the style of programming language security. Note that the use of public outputs induces a weaker notion of security.

Lemma 1. Let G be a d-NI-gadget. Œen G is d-NIo secure for every subset X of intermediate variables.

9 Informally, the lemma states that a gadget that does not leak any information also does not leak more information than the one revealed by a subset of its intermediate variables. ‘e lemma is useful to resort to automated tools for proving NI security of some gadgets used in the masked implementations of GLP. In particular, we will use the maskComp tool. Since d-NIo security is weaker than d-NI security, we must justify that it delivers the re- quired security guarantee. ‘is is achieved by combining the proofs of security for the modi€ed version of GLP with public outputs, and the proofs of correctness and security for the masked implementations of GLP.

3.3 EUF-CMA-security in the d probing model GLP is claimed EUF-CMA (existential unforgeablitiy under chosen message a‹ack). It is thus relevant to consider several accesses to the signing oracle for the masked algorithm. ‘e fol- lowing de€nition introduces a notion that combines the EUF-CMA security property and the security in the ISW model.

De€nition 1. A signature scheme (KeyGen, Sign, Verify) with signing key update algorithm KeyUpdate is EUF-CMA-secure in the d-probing model if any PPT adversary has a negligible probability of win- ning in the following game.

Adversary Challenger (KeyGen,Sign,Verify,KeyUpdate) ←−−−−−−−−−−−−−−−−−− O −−−−→KeyGen pk, LKeyGen
λ ←−−−−−− (sk, pk), LKeyGen ← ExecObs(OKeyGen, KeyGen, 1 ) (1) m(1), O  −−−−−−−→Sign   σ(1), (1)
← ExecObs( (1) , Sign, , m(1))  LSign OSign sk  (1) (1)  σ , LSign  ←−−−−−− ← KeyUpdate( )  sk sk  . q queries .  (q) (q)  m , OSign  −−−−−−−→   (q) (q)
(q) (q)  σ , L ← ExecObs(O , Sign, sk, m )  Sign Sign  σ(q), (q)  LSign  ←−−−−−− sk ← KeyUpdate(sk) m∗, σ∗ forgery  −−−−→ b ← Verify(pk, m∗, σ∗) ∧ (m∗ ∈/ {m(1), . . . , m(q)})∧ (i) ∧|OKeyGen| ≤ d ∧ ∀i ∈ {1, . . . , q}, |OSign| ≤ d

Fig. 1. d probing EUF-CMA game. ExecObs is a universal Turing machine that takes as input a series of observations, an algorithm and several possible arguments, and returns the output of the algorithm on those arguments, together with the leakage values corresponding to the desired observations.

10 Remark 2. De€nition1 assumes that the a‹acker do not get any leakage during the KeyUpdate. In this model, the KeyUpdate is not part of the signing procedure. Another de€nition could assume that the a‹acker also gets leakage during the KeyUpdate. In this alternative de€nition, the total number of observations should be bounded by d. In other words, instead of the condition (i) P (i) ∀i ∈ {1, . . . , q}, |OSign| ≤ d, one should have i∈{1,...,q} |OSign| ≤ d.

4 Masked algorithm

In this section, the whole GLP scheme is turned into a functionally equivalent scheme secure in the d-probing model with public outputs. Note that it suces to mask the key derivation in the d-probing model and the signature in the d-probing model with public output r, since the veri€cation step does not manipulate sensitive data.

Remark 3. ‘e masked version of GLP scheme with commitment has also been turned into a functionally equivalent scheme proved secure in the d-probing model with public output r. Its masked version is a li‹le more complex, it is detailed in the AppendixB.

4.1 Overall structure For simplicity, we will show the masking on a single iteration version of the signature. ‘e masking can be generalized by calling the masked signature again if it fails. To ensure protection against d-th order a‹acks, we suggest a masking countermeasure with d+1 shares for the following sensitive data : y1, y2, s1 and s2. All the public variables are (a, t) (i.e., the public key), m (i.e., the message), RejSp (i.e., the bit corresponding to the success of the rejection sampling), (z1, z2, c) (i.e., the signature). As mentioned before, because of the need of r recombination, even if r is an intermediate value, it is considered as a public output. Most operations carried out in the GLP signing algorithm are arithmetic operations modulo p, so we would like to use arithmetic masking. It means for example that y1 will be replaced by y1,0, ...y1,d ∈ R such that y1 = y1,0 + ... + y1,d mod p. ‘e issue is that at some points of the algorithm, we need to perform operations that are be‹er expressed using Boolean masking. ‘ose parts will be extracted from both the key derivation

a (s1,i)0≤i≤d

DG (s1,i)0≤i≤d (ti)0≤i≤d t H1 FullAdd

(s2,i)0≤i≤d DG

(s2,i)0≤i≤d

Fig. 2. Composition of mKD (‘e blue gadgets will be proved d-NIo, the white ones will be proved d-NI)

11 (s1,i)0≤i≤d (y1,i)0≤i≤d a (z1,i)0≤i≤d m

(z1,i)0≤i≤d z1 H1 H2 FullAdd DG (y1,i)0≤i≤d (z1,i)0≤i≤d (ri)0≤i≤d r c 1 Hash RS H FullAdd RejSp

(y2,i)0≤i≤d (z2,i)0≤i≤d DG (z2,i)0≤i≤d z2 H1 H2 FullAdd

(z2,i)0≤i≤d

(y2,i)0≤i≤d (s2,i)0≤i≤d c

Fig. 3. Composition of mSign (‘e blue gadgets will be proved d-NIo, the white ones will be proved d-NI and the red one won’t be protected) and the signature to be protected individually and then securely composed. ‘e di‚erent new blocks to achieve protection against d-th order a‹acks are depicted herea‰er and represented in Figures2 and3:

– Generation of the shared data (DG), masked version of line 1 in Algorithm2 and line 1 in Algorithm1, is a function to generate shares of y1, y2, s1 and s2. It will be described in Algorithm7, decomposed and proved d-NIo secure by decomposition. – Rejection Sampling (RS), masked version of line 5 in Algorithm2, is a test to determine if z1 and z2 belong to the set Rk−α. It will be detailed in Algorithm 16 and proved d-NI secure by decomposition. – Refresh and unmask (FullAdd) is a function that unmasks securely a variable by adding to- gether its shares modulo p without leaking the partial sums. It will be described in Algorithm 17 and proved d-NIo secure and d-NI secure when used at the end. – H1 and H2 are the elementary parts, masked versions of line 2, 3-4 and then 5-6 in Algo- rithm2. H1 is also the masked version of the instruction called in line 3 of the key derivation algorithm (Algorithm1). ‘ey are made of arithmetic computations. ‘ey are depicted in Algorithm 18 and 19. ‘ey will be proved d-NI secure. – Hash function, line 2 in Algorithm2. As mentioned before, is le‰ unmasked because it ma- nipulates only public data.

Algorithm5 shows a high level picture of mSign with all these blocks and Algorithm6 shows mKD.

‘e proofs of dNI or d-NIo security will be given in the following subsection. ‘en, the composition will be proved in Section 4.3 to achieve global security in the d-probing model with public outputs. ‘is yields the d-NIo security of the masked signature and masked key generation algorithms in ‘eorems2 and3, respectively. By combining these results with the re€ned analysis of the GLP signature in ‘eorem1, one obtains the desired security guarantee, as discussed in Section3.

12 Algorithm 5: mSign Data: m, pk = (a, t), sk = ((s1,i)0≤i≤d, (s2,i)0≤i≤d) Result: Signature σ 1 (y1,i)0≤i≤d ← DG(k, d) 2 (y2,i)0≤i≤d ← DG(k, d) 1 3 (ri)0≤i≤d ← H (a, (y1,i)0≤i≤d, (y2,i)0≤i≤d) 4 r ← FullAdd((ri)0≤i≤d) 5 c ← hash(r, m) 1 6 (z1,i)0≤i≤d ←H (c, (s1,i)0≤i≤d, (y1,i)0≤i≤d) 1 7 (z2,i)0≤i≤d ←H (c, (s2,i)0≤i≤d, (y2,i)0≤i≤d) 8 RejSp ← RS((z1,i)0≤i≤d, (z2,i)0≤i≤d, k − α) 2 9 (z1,i)0≤i≤d ← H (RejSp, (z1,i)0≤i≤d) 2 10 (z2,i)0≤i≤d ← H (RejSp, (z2,i)0≤i≤d) 11 z1 ←FullAdd((z1,i)0≤i≤d) 12 z2 ←FullAdd((z2,i)0≤i≤d) 13 return σ = (z1, z2, c)

Algorithm 6: mKD Result: Signing key sk, veri€cation key pk 1 (s1,i)0≤i≤d ← DG(1, d) 2 (s2,i)0≤i≤d ← DG(1, d) $ 3 a ←−R 1 4 (ti)0≤i≤d ← H (a, (s1,i)0≤i≤d, (s2,i)0≤i≤d) 5 t ← FullAdd((ti)0≤i≤d) 6 sk ← ((s1,i)0≤i≤d, (s2,i)0≤i≤d) 7 pk ← (a, t) 8 return as public key (a, t) 9 return as secret key ((s1,i)0≤i≤d, (s2,i)0≤i≤d)

4.2 Masked gadgets In this section each gadget will be described and proved d-NI or d-NIo secure. ‘e diculty is located in the gadgets containing Boolean/arithmetic conversions. In those gadgets (DG and RS) a detailed motivation and description has been made.

Data generation (DG). In the unmasked GLP signing algorithm, the coecients of the “com- mitment” polynomials y1, y2 are sampled uniformly and independently from an integer interval of the form [−k, k]. In order to mask the signing algorithm, one would like to obtain those val- ues in masked form, using order-d arithmetic masking modulo p. Note that since all of these coecients are completely independent, the problem reduces to obtaining an order-d mod-p arithmetic masking of a single random integer in [−k, k]. Accordingly, we will €rst create an algorithm called Random Generation (RG) which gener- ates an order-d mod-p arithmetic masking of a single random integer in [−k, k]. Next, we will use RG in an algorithm called Data Generation (DG) which generates a sharing of a value in Rk.

13 Algorithm 7: Data Generation (DG) Data: k and d Result: A uniformly random polynomial y in Rk in arithmetic masked form (yi)0≤i≤d. d 1 (yi)0≤i≤d ← {0} 2 for j = 0 to n − 1 do 3 (ai)0≤i≤d ← RG(k, d) j 4 (yi)0≤i≤d ← (yi + aix )0≤i≤d 5 end 6 return (yi)0≤i≤d

DG is calling RG n times and is described in Algorithm7. RG is described herea‰er and will be given in Algorithm 15. Let us now build RG. Carrying out this masked random sampling in arithmetic form di- rectly and securely seems dicult. On the other hand, it is relatively easy to generate a Boolean masking of such a uniformly random value. We can then convert that Boolean masking to an arithmetic masking using Coron et al.’s higher-order Boolean-to-arithmetic masking conver- sion technique [15]. ‘e technique has to be modi€ed slightly to account for the fact that the modulus p of the arithmetic masking is not a power of two, but the overall structure of the al- gorithm remains the same. To obtain a be‹er complexity, we also use the Kogge–Stone adder based addition circuit already considered in [14]. A more precise description of our approach is as follows. Let K = 2k + 1, and w0 be the smallest integer such that 2w0 > K. Denote also by w the bit size of the Boolean masking we w are going to use; we should have w > w0 + 1 and 2 > 2p. For GLP masking, a natural choice, particularly on a 32-bit architecture, would be w = 32. 0 Now the €rst step of the algorithm is to generate w0-bit values (xi )0≤i≤d uniformly and independently at random, and apply a multiplication-based share refreshing algorithm Refresh, as given in Algorithm8, to obtain a fresh w-bit Boolean masking (xi)0≤i≤d of the same value x: d d M 0 M x = xi = xi. i=0 i=0

Note that x is then a uniform integer in [0, 2w0 − 1]. We then carry out a rejection sampling on x: if x ≥ K, we restart the algorithm. If this step is passed successfully, x will thus be uniformly distributed in [0,K − 1] = [0, 2k]. Of course, the test has to be carried out securely at order d. ‘is can be done as follows: com- pute a random w-bit Boolean masking (ki)0≤i≤d of the constant (−K) (the two’s complement of K over w bits; equivalently, one can use 2w − K), and carry out the d-order secure ad-
dition SecAdd (xi)0≤i≤d, (ki)0≤i≤d , given in Algorithm9 (where Refresh denotes the d-SNI multiplication-based refresh as proven in [4] and recalled in Algorithm8). ‘e result is a Boolean masking (δi)0≤i≤d of the di‚erence δ = x − K in two’s complement form. In particular, the most signi€cant bit b of δ is 0 if and only if x ≥ K. Since computing the most signi€cant bit is an F2-linear operation, we can carry it out componentwise to obtain a masking (bi)0≤i≤d of b with bi = δi  (w − 1). ‘e resulting bit b is non-sensitive, so we can unmask it to check whether to carry out the rejection sampling.

14 Algorithm 8: Multiplication-based refresh algorithm for Boolean masking (Refresh) Data: A Boolean masking (xi)0≤i≤d of some value x; the bit size w of the returned masks 0 Result: An independent Boolean masking (xi)0≤i≤d of x 0 1 (xi)0≤i≤d ← (xi)0≤i≤d 2 for i = 0 to d do 3 for j = i + 1 to d do 4 pick a uniformly random w-bit value r 0 0 5 xi ← xi ⊕ r 0 0 6 xj ← xj ⊕ r 7 end 8 end 0 9 return (xi)0≤i≤d

Algorithm 9: Integer addition of Boolean maskings (SecAdd), as generated by the maskComp tool from the Kogge–Stone adder of [14]

Data: Boolean maskings (xi)0≤i≤d, (yi)0≤i≤d of integers x, y; the bit size w of the masks Result: A Boolean masking (zi)0≤i≤d of x + y 1 (pi)0≤i≤d ← (xi ⊕ yi)0≤i≤d
2 (gi)0≤i≤d ← SecAnd (xi)0≤i≤d, (yi)0≤i≤d, w 3 for j = 1 to W := dlog2(w − 1)e − 1 do j−1 4 pow ← 2 5 (ai)0≤i≤d ← (gi  pow)0≤i≤d
6 (ai)0≤i≤d ← SecAnd (ai)0≤i≤d, (pi)0≤i≤d, w 7 (gi)0≤i≤d ← (gi ⊕ ai)0≤i≤d 0 8 (ai)0≤i≤d ← (pi  pow)0≤i≤d 0 0
9 (ai)0≤i≤d ← Refresh (ai)0≤i≤d, w 0
10 (pi)0≤i≤d ← SecAnd (pi)0≤i≤d, (ai)0≤i≤d, w 11 end W 12 (ai)0≤i≤d ← (gi  2 )0≤i≤d
13 (ai)0≤i≤d ← SecAnd (ai)0≤i≤d, (pi)0≤i≤d, w 14 (gi)0≤i≤d ← (gi ⊕ ai)0≤i≤d
15 (zi)0≤i≤d ← xi ⊕ yi ⊕ (gi  1) 0≤i≤d 16 return (zi)0≤i≤d

15 Algorithm 10: Mod-p addition of Boolean maskings (SecAddModp) Data: Boolean maskings (xi)0≤i≤d, (yi)0≤i≤d of integers x, y; the bit size w of the masks (with 2w > 2p) Result: A Boolean masking (zi)0≤i≤d of x + y mod p w
1 (pi)0≤i≤d ← 2 − p, 0,..., 0
2 (si)0≤i≤d ← SecAdd (xi)0≤i≤d, (yi)0≤i≤d, w 0
3 (si)0≤i≤d ← SecAdd (si)0≤i≤d, (pi)0≤i≤d, w 0
4 (bi)0≤i≤d ← si  (w − 1) 0≤i≤d
5 (ci)0≤i≤d ← Refresh (bi)0≤i≤d, w
6 (zi)0≤i≤d ← SecAnd (si)0≤i≤d, (ci)0≤i≤d, w e
7 (ci)0≤i≤d ← Refresh (bi)0≤i≤d, w 0
8 (zi)0≤i≤d ← (zi)0≤i≤d ⊕ SecAnd (si)0≤i≤d, (¬fci)0≤i≤d, w 9 return (zi)0≤i≤d

A‰er carrying out these steps, we have obtained a Boolean masking of a uniformly random integer in [0, 2k]. What we want is a mod-p arithmetic masking of a uniformly random integer in the interval [−k, k], which is of the same length as [0, 2k]. If we can convert the Boolean masking to an arithmetic masking, it then suces to subtract k from one of the shares and we obtain the desired result. To carry out the Boolean-to-arithmetic conversion itself, we essentially follow the approach of [15, §5], with a few changes to account for the fact that p is not a power of two. ‘e main change is that we need an algorithm for the secure addition modulo p of two val- ues y, z in Boolean masked form (yi)0≤i≤d, (zi)0≤i≤d (assuming that y, z ∈ [0, p)). Such an algorithm SecAddModp is easy to construct from SecAdd (see Algorithm 10 with SecAnd the d-order secure bitwise AND operation from [24,32] and recalled in Algorithm 11) and the com- parison trick described earlier. More precisely, the approach is to €rst compute (si)0≤i≤d =
SecAdd (yi)0≤i≤d, (zi)0≤i≤d , which is a Boolean sharing of the sum s = y + z without mod- 0
ular reduction, and then (si)0≤i≤d = SecAdd (si)0≤i≤d, (pi)0≤i≤d for a Boolean masking w (pi)0≤i≤d of the value −p in two’s complement form (or equivalently 2 − p). ‘e result is a masking of s0 = s − p in two’s complement form. In particular, we have s ≥ p if and only if the most signi€cant bit b of s0 is 0. Denote by r the desired modular addition y + z mod p. We thus have: ( s if b = 1; r = s0 if b = 0. As a result, we can obtain the masking of r in a secure way as:

0
(ri)0≤i≤d = SecAnd (si)0≤i≤d, (bei)0≤i≤d ⊕ SecAnd (si)0≤i≤d, (¬fbi)0≤i≤d , where we denote by eb the extension of the bit b to the entire w-bit register (this is again an F2-linear operation that can be computed componentwise). ‘is concludes the description of SecAddModp. Using SecAddModp instead of SecAdd in the algorithms of [15, §4], we also immediately ob- Pd tain an algorithm SecArithBoolModp for converting a mod-p arithmetic masking a = i=0 ai mod Ld 0 p of a value a ∈ [0, p) into a Boolean masking a = i=0 ai of the same value. ‘e naive way

16 Algorithm 11: Bitwise AND of Boolean maskings (SecAnd) from [24,32] Data: Boolean maskings (xi)0≤i≤d, (yi)0≤i≤d of integers x, y; the bit size w of the masks Result: A Boolean masking (ri)0≤i≤d of x ∧ y 1 (ri)0≤i≤d ← (xi ∧ yi)0≤i≤d 2 for i = 0 to d do 3 for j = i + 1 to d do 4 pick a uniformly random w-bit value zij 5 zji ← (xi ∧ yj) ⊕ zij 6 zji ← zji ⊕ (xj ∧ yi) 7 ri ← ri ⊕ zij 8 rj ← rj ⊕ zji 9 end 10 end 11 return (ri)0≤i≤d

Algorithm 12: Secure conversion from mod-p arithmetic masking to Boolean masking (SecArithBoolModp); this is the simple version (cubic in the masking order)

Data: Arithmetic masking (ai)0≤i≤d modulo p of an integer a; the bit size w of the returned masks (with 2w > 2p) 0 Result: A Boolean masking (ai)0≤i≤d of a 0
1 (ai)0≤i≤d ← 0,..., 0 2 for j = 0 to d do
3 (bi)0≤i≤d ← aj, 0,..., 0
4 (bi)0≤i≤d ← Refresh (bi)0≤i≤d, w 0 0
5 (ai)0≤i≤d ← SecAddModp (ai)0≤i≤d, (bi)0≤i≤d, w 6 end 0 7 return (ai)0≤i≤d

of doing so (see Algorithm 12), which is the counterpart of [15, §4.1], is to simply construct a Boolean masking of each of the shares ai, and to iteratively apply SecAddModp to those masked values. ‘is is simple and secure, but as noted by Coron et al., this approach has cubic complex- ity in the masking order d (because SecAdd and hence SecAddModp are quadratic). A more advanced, recursive approach allows to obtain quadratic complexity for the whole conversion: this is described in [15, §4.2], and directly applies to our se‹ing. With both algorithms SecAddModp and SecArithBoolModp in hand, we can easily com- plete the description of our commitment generation algorithm by mimicking [15, Algorithm 6]. To convert the Boolean masking (xi)0≤i≤d of x to a mod-p arithmetic masking, we €rst generate random integer shares ai ∈ [0, p), 1 ≤ i ≤ d, uniformly at random. We then de€ne 0 0 0 ai = −ai mod p = p − ai for 1 ≤ i ≤ d and a0 = 0. ‘e tuple (ai)0≤i≤d is thus a mod-p 0 P arithmetic masking of the sum a = − 1≤i≤d ai mod p. Using SecArithBoolModp, we con- Ld 0 vert this arithmetic masking to a Boolean masking (yi)0≤i≤d, so that i=0 yi = a . Now, let

17 Algorithm 13: Refresh-and-unmask algorithm for Boolean masking (FullXor) from [15] Data: A Boolean masking (xi)0≤i≤d of some value x; the bit size w of the masks Result: ‘e value x 0
1 (xi)0≤i≤d ← FullRefresh (xi)0≤i≤d, w 0 2 x ← x0 3 for i = 1 to d do 0 4 x ← x ⊕ xi 5 end 6 return x

Algorithm 14: Stronger Refresh algorithm for Boolean masking (FullRefresh) from [12, Algorithm 4]

Data: A Boolean masking (xi)0≤i≤d of some value x; the bit size w of the returned masks 0 Result: An independent Boolean masking (xi)0≤i≤d of x 0 1 (xi)0≤i≤d ← (xi)0≤i≤d 2 for i = 0 to d do 3 for j = 1 to d do 4 pick a uniformly random w-bit value r 0 0 5 x0 ← x0 ⊕ r 0 0 6 xj ← xj ⊕ r 7 end 8 end 0 9 return (xi)0≤i≤d

(zi)0≤i≤d = SecAddModp (xi)0≤i≤d, (yi)0≤i≤d ; this is a Boolean masking of:

d ! 0 X z = (x + a ) mod p = x − ai mod p. i=1 We then securely unmask this value using Coron et al.’s FullXor procedure, recalled in Al- gorithms 13 and 14, and set a0 = z − k mod p. ‘en, we have:

d d d d X X X X ai mod p = z − k + ai mod p = x − k − ai + ai mod p = x − k mod p. i=0 i=1 i=1 i=1

‘us, (ai)0≤i≤d is a correct mod-p arithmetic masking of a uniformly random value in [−k, k] as required. ‘e whole procedure is summarized in Algorithm 15 and described in Figure4 where xGen stands for the generation of x0’s shares, Refresh for the multiplication-based refreshing from [24,4], kGen for the generation of k’s shares,  for the right shi‰ of δ’s shares, FullX for FullXor, aGen for the generation of a’s shares, SecABM for SecArithBoolModp, and SecAMp for SecAddModp. ‘e success probability of the rejection sampling step (the masked comparison to K) is w0 K/2 , and hence is at least 1/2 by de€nition of w0. ‘erefore, the expected number of runs requiered to complete is at most 2 (and in fact, a judicious choice of k, such as one less than a

18 kGen

(ki)0≤i≤d b = 0 0 (xi )0≤i≤d (xi)0≤i≤d (δi)0≤i≤d (bi)0≤i≤d xGen Refresh SecAdd  FullX b = 1

(xi)0≤i≤d

if b = 1

aGen SecABMp SecAMp FullX a0 0 (ai)0≤i≤d (yi)0≤i≤d (zi)0≤i≤d

Fig. 4. Randomness Generation RG (‘e green (resp. white, red) gadgets will be proved d-SNI (resp. d-NI, unmasked))

Algorithm 15: Randomness generation (RG) Data: k and d Result: A uniformly random a integer in [−k, k] in mod-p arithmetic masked form (ai)0≤i≤d. 0 1 generate uniformly random w0-bit values (xi )0≤i≤d 0
2 (xi)0≤i≤d ← Refresh (xi )0≤i≤d 3 initialize (ki)0≤i≤d to a w-bit Boolean sharing of the two’s complement value −K = −2k − 1
4 (δi)0≤i≤d ← SecAdd (xi)0≤i≤d, (ki)0≤i≤d 5 (bi)0≤i≤d ← (δi)0≤i≤d  (w − 1)
6 b ← FullXor (bi)0≤i≤d 7 output b 8 if b = 0 then 9 restart 10 end 11 generate uniform integers (ai)1≤i≤d in [0, p) 0 12 ai ← −ai mod p for i = 1, . . . , d 0 13 a0 ← 0 0
14 (yi)0≤i≤d ← SecArithBoolModp (ai)0≤i≤d
15 (zi)0≤i≤d ← SecAddModp (xi)0≤i≤d, (yi)0≤i≤d
16 a0 ← FullXor (zi)0≤i≤d 17 return (ai − ki)0≤i≤d

19 power of two, can make the success probability very close to 1). Since all the algorithms we rely on are at most in the masking order and (when using the masked Kogge–Stone adder of [14]) logarithmic in the size w of the Boolean shares, the overall complexity is thus O(d2 log w). Now that the randomness generation is decribed, each intermediate gadget will be proven either d-NI or d-NIo secure. ‘en, the global composition is proven d-NIo secure as well.

Lemma 2. Gadget SecAdd is d-NI secure.

Proof. Gadget SecAdd is built from the Kogge-Stone adder of [14] with secure AND and secure linear functions such as exponentiations and Boolean additions. As to ensure its security with the combination of these atomic masked functions, the tool maskComp was used to properly insert the mandatory d-SNI refreshings, denoted as Refresh in Algorithm9. As deeply explained in its original paper, maskComp provides a formally proven d-NI secure implementation. ut

Lemma 3. Gadget SecAddModp is d-NI secure.

Proof. Gadget SecAddModp is built from the gadget SecAdd and SecAnd and linear operations (like ⊕). We use the tool maskComp to generate automatically a veri€ed implementation. Note that the tool automatically adds the two refreshs (line 5 and 7) and provides a formally proven d-NI secure implementation. ut

Lemma 4. Gadget SecArithBoolModp is d-SNI secure.

Proof. A graphical representation of SecArithBoolModp is in Figure5. Let O be a set of ob- servations performed by the a‹acker on the €nal returned value, let IAj be the set of internal observations made in step j in the gadget SecAddModp (line 5), and IRj be the set of internal observations made in the step j in the initialisation of b (line 3) or in the Refresh (line 4). As- P suming that |O| + (|IAj | + |IRj |) ≤ d, the gadget is d-SNI secure, if we can build a simulator allowing to simulate all the internal and output observations made by the a‹acker using a set S P of shares of a such that |S| ≤ (|IAj | + |IRj |).

At the last iteration (see €gure6), the set of observations O∪IAd can be simulated using a set 0 S 0 of shares of a and S of shares of b with |S 0 | ≤ |O|+|I | and |S | ≤ |O|+|I | ad−1 bd−1 ad−1 Ad bd−1 Ad (because the gadget SecAddModp is d-NI secure). Since the Refresh is d-SNI secure, the sets S and I can be simulated using a set S 0 of input share with |S 0 | ≤ |I |. If I bd−1 Rd bd−1 bd−1 Rd Rd is not empty, then S 0 may contain a , so we add a to S. For each iteration of the loop this bd−1 d d process can be repeated. At the very €rst iteration, several shares of a0 may be necessary to simulate the set of observations. However, there are all initialized to 0, nothing is added to S.

Sa0 d−1

(ad, 0, ..., 0) Refresh SecAMp Step d I IA Sb0 Rd Sb d d−1 d−1 O

Fig. 6. Last step of SecArithBoolModp with probes (‘e green (resp. white) gadgets will be proved d-SNI (resp. d-NI))

20 (0, 0, ..., 0)

(a0, 0, ..., 0) (bi)0≤i≤d Refresh SecAMp Step 0

0 (a i)0≤i≤d

(a1, 0, ..., 0) (bi)0≤i≤d Refresh SecAMp Step 1

0 (a i)0≤i≤d …

(aj , 0, ..., 0) (bi)0≤i≤d Refresh SecAMp Step j

0 (a i)0≤i≤d …

(ad, 0, ..., 0) (bi)0≤i≤d Refresh SecAMp Step d

0 (a i)0≤i≤d

Fig. 5. Graphical Representation of SecArithBoolModp (‘e green (resp. white) gadgets will be proved d-SNI (resp. d-NI))

At the end we can conclude that the full algorithm can be simulated using the set S of input P shares. Furthermore we have |S| ≤ |IR | (since aj is added in S only if IR is not empty), so P j j we can conclude that |S| ≤ |IAj | + |IRj | which concludes the proof. ut

Lemma 5. Gadget RG is d-NIo secure with public output b.

Proof. Here we need to ensure that the returned shares of a cannot be revealed to the a‹acker through a d-order side-channel a‹ack. Since xGen and aGen are just random generation of shares, the idea is to prove that any set of t ≤ d observations on RG including these inputs can be perfectly simulated with at most t shares of x and t shares of a. Gadget RG is built with no cycle. In this case, from the composition results of [4], it is enough to prove that each sub-gadget is d-NI to achieve global security. In our case, it is enough to prove that each sub-gadget is d-NIo with the knowlegde of b to achieve global security. From Lemmas2,4, and3, SecAdd, SecArithBoolModp, and SecAddModp are d-NI secure.  is trivially d-NI secure as well since it applies a linear function, gadget FullRefresh is d-SNI secure thus d-NI secure by de€nition, and gadget kGen is generating shares of a non sensitive value. At this point, both gadgets FullXor have to be analyzed to achieve the expected overall se- curity. We start with the gadget computing b. A‰er its execution, b is broadcasted. Since b have to be public, its knowledge does not impact the security but because of this output, the secu- rity of RG will be d-NIo with public output b and not d-NI. FullXor is composed of a d-SNI

21 secure refreshing (made of d + 1 linear refreshing) of the shares and of a Boolean addition of these resulting shares. ‘e a‹acker is not able to observe intermediate variable of all the linear refreshings (since he only has δ ≤ d available observations), thus we consider that the ith re- freshing is le‰ unobserved. As a consequence, all the previous observations involve only one b’s share and all the following observations are independent from b’s share except for their sum. ‘at is, FullXor is d-NI secure. As for its second instance to compute a0, FullXor is still d-NI secure but a0 is not revealed a‰er its execution. While the a‹acker is able to observe its value, it is not returned for free. All the δ0 ≤ d observations made by the a‹acker of this last instance of FullXor can be perfectly simulated with a0 (for the observations performed a‰er the unob- served linear refreshing) and at most δ0 − 1 shares of z (for the observations made before the unobserved linear refreshing). ut

Remark 4. ‘e knowledge of b (ie. the success of the randomness generation) is not sensitive and we decided to consider it as a public output. To simplify the notation when we report the security on the whole scheme, we will omit b in the public outputs.

Lemma 6. Gadget DG is d-NIo secure with public output b.

Proof. From Lemma5, Gadget DG is d-NIo secure since it only consists in the linear application of Gadget RG to build the polynomial coecients. ut

Rejection sampling (RS). Right before the rejection sampling step of the masked signing algorithm, the candidate signature polynomials z1 and z2 have been obtained as sums of d + 1 shares modulo p, and we want to check whether the coecients in Z/pZ represented by those shares are all in the interval [−k + α, k − α]. Again, carrying out this check using mod-p arithmetic masking seems dicult, so we again resort to Boolean masking. For each coecient zi,j of z1 and z2, one can trivially obtain a mod-p arithmetic masked representation of both zi,j and −zi,j, and the goal is to check whether those values, when un- masked modulo p in the interval [(−p + 1)/2, (p − 1)/2)], are all greater than −k + α. Let a be one of those values, and a = a0 + ··· + ad mod p its masked representation. Using SecArithBoolModp as above, we can convert this mod-p arithmetic masking to a w-bit Boolean 0 masking (ai)0≤i≤d. From this masking, we €rst want to obtain a masking of the centered rep- resentative of a mod p, i.e. the value a00 such that: ( a if a ≤ (p − 1)/2, a00 = a − p otherwise.

‘is can be done using a similar approach as the one taken for randomness generation: compute a Boolean masking (bi)0≤i≤d of the most signi€cant bit a−(p+1)/2 (which is 1 in the €rst case and 0 in the second case), and a Boolean masking (si)0≤i≤d of the sum a − p. ‘en, a Boolean 00 masking of (ai )0≤i≤d is obtained as:

00 0

(ai )0≤i≤d = SecAnd (ai)0≤i≤d, (bei)0≤i≤d ⊕ SecAnd (si)0≤i≤d, ¬(bei)0≤i≤d .

Finally, once this Boolean masking is obtained, it suces to add k − ω to it and check the most signi€cant bit to obtain the desired test. We cannot directly unmask that €nal bit, but we can compute it in masked form for all the 4n values to be tested, and apply SecAnd iteratively on all of these values to compute a Boolean

22 Algorithm 16: Rejection sampling (RS) Data: ‘e 4n values a(j) to check, in mod-p arithmetic masked representation (j) (ai )0≤i≤d. Result: ‘e bit r equal to 1 if all values satisfy that a(j) + k − α ≥ 0, and 0 otherwise. 1 initialize (ri)0≤i≤d as a single-bit Boolean masking of 1 2 initialize (pi)0≤i≤d as a w-bit Boolean masking of −p 0 3 initialize (pi)0≤i≤d as a w-bit Boolean masking of −(p + 1)/2 0 4 initialize (ki)0≤i≤d as a w-bit Boolean masking of k − α 5 for j = 1 to 4n do 0 (j)
6 (ai)0≤i≤d ← SecArithBoolModp (ai )0≤i≤d 0 0
7 (δi)0≤i≤d ← SecAdd (ai)0≤i≤d, (pi)0≤i≤d 8 (bi)0≤i≤d ← (δi)0≤i≤d  (w − 1) 0
9 (si)0≤i≤d ← SecAdd (ai)0≤i≤d, (pi)0≤i≤d
10 (ci)0≤i≤d ← Refresh (bi)0≤i≤d 0 0
11 (ai)0≤i≤d ← SecAnd (ai)0≤i≤d, (ci)0≤i≤d
e 12 (ci)0≤i≤d ← Refresh (bi)0≤i≤d 0 0
13 (ai)0≤i≤d ← (ai)0≤i≤d ⊕ SecAnd (si)0≤i≤d, ¬(cei)0≤i≤d 0 0
14 (δi)0≤i≤d ← SecAdd (ai)0≤i≤d, (ki)0≤i≤d 15 (bi)0≤i≤d ← (δi)0≤i≤d  (w − 1)
16 (ri)0≤i≤d ← SecAnd (ri)0≤i≤d, ¬(bi)0≤i≤d 17 end
18 r ← FullXor (ri)0≤i≤d 19 return r

masked representation of the bit equal to 1 if all the coecients are in the required intervals, and 0 otherwise. ‘is bit can be safely unmasked, and is the output of our procedure. ‘e whole algorithm is summarized as Algorithm 16. Since both SecArithBoolModp and SecAnd have quadratic complexity in the masking order (and SecArithBoolModp has logarithmic complexity in the size w of the Boolean shares), the overall complexity of this algorithm is O(nd2 log w).

Lemma 7. Gadget RS is d-NI secure.

Proof. From Lemmas2 and4, Gadgets SecArithBoolModp and SecAdd are d-NI secure. Gad- get SecAnd is d-SNI secure from [32,4] and  is linear, thus trivially d-NI secure as well. As done for Gadget SecAdd, the tool maskComp was called to generate a d-NI circuit from the initial sequence of gadgets. It inserted gadgets Refresh (as shown in Algorithm 16) at speci€c locations so that the overall circuit is formally proven to be d-NI secure. ut

Refresh and Unmask (FullAdd). ‘is part provides a computation of the sensitive value as the sum of all its shares. It is a gadget with public output because the €nal value is returned and also output. ‘is output is useful when FullAdd is used to recombine the intermediate value r. Before summing, the sharing is given as input for FullRefresh [12, Algorithm 4], which is made of a succession of d + 1 linear refresh operations. ‘ose linear refreshing modify the

23 Algorithm 17: FullAdd Data: (ri)0≤i≤d Result: r 1 if (ri)0≤i≤d = ⊥ then 2 return ⊥ 3 end 4 (ri)0≤i≤d ← FullRefresh ((ri)0≤i≤d) 5 r ← (r0 + ... + rd) 6 output (r) 7 return (r)

sharing by adding randoms elements to each share while keeping constant the value of the sum. ‘eir number is strictly superior to d which is useful to consider that any share or strictly partial sum of shares at the output of the €nal linear refreshing is independent from the original sharing. ‘en, the following partial sums do not give any information about the original sharing which is dependent of the sensitive values. ‘e whole algorithm, given in Algorithm 17 has a quadratic complexity in d.

Lemma 8. Gadget FullAdd is d-NIo secure with public output r.

Proof. Let δ ≤ d be the number of observations made by the a‹acker. We use a combination of d + 1 linear refresh operations. ‘at is, there is at least one of the linear refreshing (we call th it the i refreshing) which is not observed by the a‹acker. For all the δ1 ≤ δ observations th preceding the i refreshing in FullAdd, they can be perfectly simulated with at most δ1 shares of r since each one of them involves at most one ri. As for the observations performed a‰er the th i refreshing, each one of them is independent from the ri inside the refresh mask and each intermediate sum of the unmask part is independent of the ri as well with the knowledge of r. ‘en, during the sum computation, all the ri can be simulated with fresh random that sum to r (the public output). ‘us, at most δ shares of r and r itself are enough to simulate further probes. ut

Remark 5. When FullAdd is used at the very end of the whole algorithm (mKD or mSign), the public outputs are also among the returned values. ‘en, in those cases, it can be considered as d-NI.

Transition parts. ‘e elementary parts H1 and H2 are quite easy to build since they perform only linear operations on the input data. A masked implementation only performs these linear operations on each share to securely compute the returned shares. H1 and H2 are described in Algorithms 18 and 19.

Lemma 9. Gadgets H2 and H1 are d-NI secure.

Proof. ‘e straightforward proofs are the following.

– d-NI security of H1. Let δ ≤ d be the number of observations made by the a‹acker. ‘e only possible observations are the sensitive values y1,i, y2,i and ay1,i + y2,i.‘e proof

24 Algorithm 18: H1 Algorithm 19: H2 Data: a, (y1,i)0≤i≤d Data: RejSp, (z1,i)0≤i≤d 1 for 0 ≤ i ≤ d do 1 if RejSp = 0 then 2 ri ← ay1,i + y2,i 2 (z1,i)0≤i≤d ← ⊥ 3 end 3 end 4 return (ri)0≤i≤d 4 return (z1,i)0≤i≤d

consists in €lling an empty set I with at most δ indices in [0, d] such that the distribution of any tuple (v1, ..., vδ) of intermediate variables of the block can be perfectly simulated from the sensitive values. We build the set I with the indice i of each intermediate values in (v1, ..., vδ). A‰er building it, we simulate each one of them with the corresponding share of the inputs. At the end, any set of δ ≤ d intermediate variables can be perfectly simulated with at most δ shares of each sensitive input. ‘is is enough to prove that H1 is d-NI secure.

– d-NI security of H2. ‘e proof is very similar to the previous one. Let δ ≤ d be the number of observations made by the a‹acker. ‘e only possible observations are the sensitive values z1,i or on the intermediate value RejSp. So, to simulate z1,i we use the corresponding share of the input. And RejSp is a bit showing if the rejection sampling failed, it’s a public information. ut

Hash function. ‘e hash function does not manipulate any sensitive data. ‘us, it is le‰ un- masked.

4.3 Proofs of composition ‡eorem 2. Œe masked GLP sign in Algorithm5 is d-NIo secure with public output {r, b}.

Proof. From Lemmas6,7 and9, Algorithms DG, RS, H1, and H2 are all d-NI. From Lemma8, FullAdd is d-NIo secure. Let us assume that an a‹acker has access to δ ≤ d observations on the whole signature scheme. ‘en, we want to prove that all these δ observations can be perfectly simulated with at most δ shares of each secret among y1, y2, s1 and s2 and the public variables. With such a result, the signature scheme is then secure in the d-probing model since no set of at most d observations would give information on the secret values. In the following, we consider the following distribution of the a‹acker’s δ observations: δ1 1 (resp. δ2) on the instance of DG that produces shares of y1 (resp. y2), δ3 on H , δ4 on FullAdd of 1 r, δ5 (resp. δ6) on H which produces z1 (resp. z2), δ7 on the instance of RS, δ8 (resp. δ9) on 2 H applied on z1 (resp. z2), and δ10 (resp. δ11) on FullAdd of z1 (resp. z2). Some other observa- tions can be made on the Hash function, their number won’t ma‹er during the proof. Finally, P11 P11 we have i=1 δi ≤ i=1 +δHash ≤ δ. Now, we build the proof from right to le‰ as follows. Both last FullAdd blocks in the very end of mSign are d-NI secure, then all the observations performed during the execution of FullAdd on z1 (resp. z2) can be perfectly simulated with at most δ10 (resp. δ11) shares of z1 (resp. z2).

25 2 2 H is d-NI secure, then all the observations from the call of H on z1 (resp. z2) can be perfectly simulated with δ8 + δ10 (resp. δ9 + δ11) shares of the sensitive input z1 (resp. z2). ‘e inputs z1 and z2 do not come from RS which do not act on them. ‘ey are directly taken from the returned values of H1. RS is d-NI secure and do not return any sensitive element, then all the observations per- 1 formed in gadget RS can be perfectly simulated with at most δ7 shares of z1 and z2. So, a‰er H , the observations can be simulated with δ7 + (δ8 + δ10) shares of z1 and δ7 + (δ9 + δ11) shares of z2. 1 1 H is d-NI secure as well, thus all the observations from the call of H on y1 can be perfectly simulated with δ5 + δ7 + δ8 + δ10 ≤ δ shares of y1 and s1. Respectively, on y2, the observations can be perfectly simulated from δ6 + δ7 + δ9 + δ11 ≤ δ shares of y2 and s2. ‘e le‰ FullAdd gadget is d-NIo secure and do not return any sensitive element, then all the observations performed in this gadget can be perfectly simulated with at most δ4 shares of r. ‘e le‰ H1 gadget is d-NI secure, thus all the observations from its call can be perfectly simulated with at most δ3 + δ4 shares of each one of the inputs y1 and y2. DG is also d-NI secure, thus we need to ensure that the number of reported observations does not exceed δ. At the end of DG, the simulation relies on (δ3 + δ4) + (δ5 + δ7 + δ8 + δ10) ≤ δ shares of y1 and (δ3 + δ4) + (δ6 + δ7 + δ9 + δ11) ≤ δ shares of y2. With the additional δ1 (resp. δ2) observations performed on the €rst (resp. the second) instance of DG, the number of observations remains below δ which is sucient to ensure security of the whole scheme in the d-probing model. ut

‡eorem 3. Œe masked GLP key derivation in algorithm6 is d-NIo secure with public output b.

Proof. From Lemmas6 and9, Algorithms DG, H1 are all d-NI. From Lemma8, FullAdd is d-NIo secure. Here too, let us assume that an a‹acker has access to δ ≤ d observations on the whole signature scheme. ‘en, we want to prove that all these δ observations can be perfectly simulated with at most δ shares of each secret among s1 and s2. We now consider the following distribution of the a‹acker’s δ observations: δ1 (resp. δ2) on 1 the instance of DG that produces shares of s1 (resp. s2), δ3 on H , and δ4 on FullAdd, such that P4 i=1 δi = δ. Now, we build the proof from right to le‰: FullAdd is used at the very end of mKD, so it is d-NI secure. ‘us, all the observations from the call of FullAdd can be perfectly simulated with δ4 ≤ δ sensitive shares of the input t. H1 is d-NI, thus all the observations from its call can be perfectly simulated with at most δ3 + δ4 ≤ δ shares of each one of the inputs s1 and s2. DG is d-NIo, thus we need to ensure that the number of reported observations does not exceed δ. At the end of DG, the simulation relies on (δ3 + δ4) ≤ δ shares of s1 and s2. With the additional δ1 (resp. δ2) observations performed on the €rst (resp. the second) instance of DG, the number of observations on each block remains below δ. All the observations can thus be perfectly simulated with the only knowledge of the outputs, that is, the key derivation algorithm is this d-NIo secure. ut

26 4.4 EUF-CMA security in the d-probing model Let UnmaskedRefresh be the unmasked version of a refreshing gadget. Algorithm 20: UnmaskedRefresh Data: (xi)0≤i≤d 1 for 0 ≤ i ≤ d − 1 do 0 2 xi ← $ 3 end 0 Pd Pd−1 0 4 xd = k=0 xk − k=0 xk 5 return (xi)0≤i≤d

‡eorem 4. Assuming the hardness of the DCKp,n and R-DCKp,n problems, the signature scheme r-GLP masked at order d with key update algorithm UnmaskedRefresh is EUF-CMA secure in the d-probing model (see De€nition1) and in the random oracle model.

Proof. Let Advd-probing-EUF-CMA be the advantage of an adversary A against the d-probing-EUF- CMA security game for r-GLP masked at order d with key update algorithm UnmaskedRefresh. Remark that b is drawn under a publicly known distribution and is independent of the secret. Hence the advantage of the advantage of an adversary against the EUF-CMA security game for GLP with returned value b, r is exactly AdvEUF-CMA, the advantage of an adversary against the EUF-CMA security game for r-GLP. ‘is advantage is negligible (see ‘eorem1) and has been quanti€ed in ‘eorem5.

In the following, we will prove that Advd-probing-EUF-CMA = AdvEUF-CMA which is sucient to conclude the proof. Indeed, thanks to theorem5, under the hardness of the DCKp,n and R- EUF-CMA d-probing-EUF-CMA DCKp,n, Adv and so Adv will be negligible.

In the d-probing-EUF-CMA se‹ing, the signature oracle called S is statefull. Lets us de€ne this oracle by the following :

(i−1)
S(m, OSign) = Sign(m, pk, sk ), LSign where i ∈ [1, q] is the state, i.e. the index of the query, and sk(i) = KeyUpdatei(sk) (with the convention sk0 = sk).

Leakage Simulators – According to ‘eorem2, the d−NIo security of GLP Sign implies the d−NI security of r- GLP Sign. Indeed, in r-GLP Sign, the output values are actual returned values. One subtelty is that the a‹acker A is able to make d observations on each call to the signature oracle but not during the key refreshings. For any set of at most d observations during the ith call to the signature oracle, the d−NI (i),Sim security ensures the existence of a perfectly simulated leakage LSign that is generated from at most d shares of sk(i−1). Because the a‹acker is not able to get any observation during the UnmaskedRefresh, if i 6= 1, the d shares of sk(i−1) can be perfectly simulated from random. When i = 1, the observations are directly simulated with at most d shares (0) (1),Sim (q),Sim
of sk = sk. In total, the q leakages LSign ...LSign are perfectly simulated from at

27 most d shares of sk. ‘us, they are independant from the unmasked value of the secret.

– Identically, according to ‘eorem3, for any set of at most d observations during the key Sim generation, there exists a perfectly simulated leakage LKeyGen that is independant from the unmasked value of the secret.

Here are the hybrid games involved in the security proof.

Game G0: ‘is game is the security game of the EUF-CMA security in the d-probing model. 1. OKeyGen ← A
λ 2. (sk, pk), LKeyGen ← ExecObs(OKeyGen, KeyGen, 1 ) ∗ ∗ H,S 3. (m , σ ) ← A (pk, LKeyGen) ∗ ∗ (i) 4. return 1 if Verify(pk, m , σ ) = 1 and |OKeyGen| ≤ d and ∀i ∈ {1, . . . , q}, |OSign| ≤ d and (m∗, σ∗) has not been returned by the signature oracle return 0 otherwise. (i),Sim (i) Game G1: Let S’ be a copy of S that outputs LSign instead of LSign for all i. In the following game, all the leakages given to the a‹acker are replaced by the simulated leakages. 1. OKeyGen ← A
λ 2. (sk, pk), LKeyGen ← ExecObs(OKeyGen, KeyGen, 1 ) ∗ ∗ H,S0 Sim 3. (m , σ ) ← A (pk, LKeyGen) ∗ ∗ (i) 4. return 1 if Verify(pk, m , σ ) = 1 and |OKeyGen| ≤ d and ∀i ∈ {1, . . . , q}, |OSign| ≤ d and (m∗, σ∗) has not been returned by the signature oracle return 0 otherwise. Sim By de€nition of L , this game is perfectly indistinguisable from G0. Game G2: ‘is game is the security game of the EUF-CMA security. 1. (sk, pk) ← KeyGen(1λ) 2. (m∗, σ∗) ← AH,Sign(·,sk)(pk) 3. return 1 i‚ Verify(pk, m∗, σ∗) = 1 and (m∗, σ∗) has not been returned by the oracle Sign(·, sk). (i) Sim Since in game G1, |OKeyGen| ≤ d and |OSign| ≤ d for all i ∈ [1, q], having access to L pro- vides no advantage to the a‹acker. ‘en, the advantage for G1 is the same as the advantage for G2. Finally Advd-probing-EUF-CMA = AdvEUF-CMA. ut

5 Implementation of the countermeasure

We have carried out a completely unoptimized implementation of our masking countermea- sure based on a recent, public domain implementation of the GLP signature scheme called GLYPH [10,11]. ‘e GLYPH scheme actually features a revised set of parameters supposedly achieving a greater level of security (namely, n = 1024, p = 59393, k = 16383 and α = 16), as well as a modi€ed technique for signature compression. We do not claim to vouch for those changes, but stress that, for our purposes, they are essentially irrelevant. Indeed, the overhead of our countermeasure only depends on the masking order d, the bit size w of Boolean masks (which should be chosen as w = 32 both for GLYPH and the original GLP parameters) and the degree n of the ring R (which is the same in GLYPH as in the high-security GLP parameters).

28 ‘erefore, our results on GLYPH should carry over to a more straightforward implementation of GLP as well. Implementation results on a single core of an Intel Core i7-3770 CPU are provided in Table1. In particular, we see that the overhead of our countermeasure with 2, 3 and 4 shares (secure in the d-probing model for d = 1, 2, 3 respectively) is around 15×, 30× and 73×. In view of the complete lack of optimizations of this implementation, we believe that those results are quite promising. ‘e memory overhead is linear in the masking order, so quite reasonable in practice (all masked values are simply represented as a vector of shares). For future work, we mention several ways in which our implementation could be sped up:

– For simplicity, we use a version of SecArithBoolModp with cubic complexity in the mask- ing order, as in [15, §4.1]. Adapting the quadratic algorithm of [15, §4.2] should provide a signi€cant speed-up. Moreover, for small values of d, Coron’s most recent algorithm [13] should be considerably faster. However, the technique from [13] unfortunately has an over- head exponential in the masking order, so it is not suitable for our purpose of masking GLP at any order. – Several of our algorithms call SecAdd on two masked values one of which is actually a public constant. One could use a faster SecAddConst procedure that only protect the secret operand instead. – Our algorithms are generic, and do not take advantage of the special shape of k for example. In the case of GLYPH, a comparison to k = 214 − 1 could be greatly simpli€ed. – Many other more technical improvements are also possible: for example, we have made no a‹empt to reduce the number of unnecessary array copies.

6 Conclusion

In this paper, we have described a provably secure masking of the GLP la‹ice-based signature scheme, as well as a proof-of-concept implementation thereof. ‘e security proof itself involved a number of new techniques in the realm of masking countermeasures. Our method should ap- ply almost identically to other la‹ice-based Fiat–Shamir type signature schemes using uniform distributions in intervals (as opposed to Gaussian distributions). ‘is includes the Bai–Galbraith signature scheme [2], as well as the recently proposed Dilithium signature [18]. We have mostly ignored the issue of signature compression, which is an important one in all of these constructions, GLP included. However, it is easy to see that compression can be securely applied completely separately from our countermeasure: this is because it only a‚ects already

Table 1. Implementation results. Timings are provided for 100 executions of the signing and veri€cation algorithms, on one core of an Intel Core i7-3770 CPU-based desktop machine.

Number of shares (d + 1) Unprotected 2 3 4 5 6

Total CPU time (s) 0.540 8.15 16.4 39.5 62.1 111 Masking overhead — ×15 ×30 ×73 ×115 ×206

29 generated signatures (which are non-sensitive) as well as the input to the hash function (which is already unmasked in our technique). On the other hand, extending our approach to schemes using Gaussian distributions appears to be really dicult: neither Boolean masking nor arithmetic masking with uniform masks seems particularly well-suited to address the problem. One way to tackle the problem might be to con- sider masking with non-uniform noise, and only achieving statistically close instead of perfect simulatability. Developing such a framework, however, is certainly a formidable challenge. Masking hash-and-sign type signatures in using GPV la‹ice trapdoors is probably even harder, as they involve Gaussian sampling not only in Z but on arbitrary subla‹ices of Zn, with variable centers. It seems unlikely that a masked GPV signature scheme can achieve a reasonable level of eciency. Finally, while we have used the maskComp tool to securely instantiate the masked versions of some of the gadgets we use in our construction, it would be interesting to leverage recent advances in veri€cation [3] and synthesis [4] of masked implementations in a more systematic way in the la‹ice-based se‹ing. Even for veri€cation, the sheer size of the algorithms involved poses signi€cant challenges in terms of scalability; however, automated tool support would be invaluable for the further development of masking in the postquantum se‹ing.

Acknowledgements. We are indebted to Vadim Lyubashevsky for fruitful discussions, and to the reviewers of EUROCRYPT for their useful comments. We acknowledge the support of the French Programme d’Investissement d’Avenir under national project RISQ. ‘is work is also partially supported by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701) and ONR Grant N000141512750. ‘is research has been partially funded by ANRT under the programs CIFRE N 2016/1583.

References

1. M. Abdalla, J. H. An, M. Bellare, and C. Namprempre. From identi€cation to signatures via the Fiat- Shamir transform: Minimizing assumptions for security and forward-security. In L. R. Knudsen, editor, EUROCRYPT 2002, volume 2332 of LNCS, pages 418–433. Springer, Heidelberg, Apr. / May 2002. 2. S. Bai and S. D. Galbraith. An improved compression technique for signatures based on learning with errors. In J. Benaloh, editor, CT-RSA 2014, volume 8366 of LNCS, pages 28–47. Springer, Heidelberg, Feb. 2014. 3. G. Barthe, S. Bela¨ıd, F. Dupressoir, P.-A. Fouque, B. Gregoire,´ and P.-Y. Strub. Veri€ed proofs of higher- order masking. In E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part I, volume 9056 of LNCS, pages 457–485. Springer, Heidelberg, Apr. 2015. 4. G. Barthe, S. Bela¨ıd, F. Dupressoir, P.-A. Fouque, B. Gregoire,´ P.-Y. Strub, and R. Zucchini. Strong non- interference and type-directed higher-order masking. In E. R. Weippl, S. Katzenbeisser, C. Kruegel, A. C. Myers, and S. Halevi, editors, ACM CCS 16, pages 116–129. ACM Press, Oct. 2016. 5. C. Baum, I. Damgaard,˚ S. Oechsner, and C. Peikert. Ecient commitments and zero-knowledge pro- tocols from Ring-SIS with applications to la‹ice-based threshold cryptosystems. Cryptology ePrint Archive, Report 2016/997, 2016. http://eprint.iacr.org/2016/997. 6. M. Bellare and G. Neven. Multi-signatures in the plain public-key model and a general forking lemma. In A. Juels, R. N. Wright, and S. Vimercati, editors, ACM CCS 06, pages 390–399. ACM Press, Oct. / Nov. 2006. 7. N. Bindel, J. A. Buchmann, and J. Kramer.¨ La‹ice-based signature schemes and their sensitivity to fault a‹acks. In P. Maurine and M. Tunstall, editors, FDTC 2016, pages 63–77. IEEE Computer Society, 2016.

30 8. L. G. Bruinderink, A. Hulsing,¨ T. Lange, and Y. Yarom. Flush, gauss, and reload - A cache a‹ack on the BLISS la‹ice-based signature scheme. In B. Gierlichs and A. Y. Poschmann, editors, CHES 2016, volume 9813 of LNCS, pages 323–345. Springer, Heidelberg, Aug. 2016. 9. S. Chari, J. R. Rao, and P. Rohatgi. Template a‹acks. In B. S. Kaliski Jr., C¸etin Kaya. Koc¸, and C. Paar, editors, CHES 2002, volume 2523 of LNCS, pages 13–28. Springer, Heidelberg, Aug. 2003. 10. A. Chopra. GLYPH: A new insantiation of the GLP digital signature scheme. Cryptology ePrint Archive, Report 2017/766, 2017. http://eprint.iacr.org/2017/766. 11. A. Chopra. So‰ware implementation of GLYPH. GitHub repository, 2017. https://github. com/quantumsafelattices/glyph. 12. J.-S. Coron. Higher order masking of look-up tables. In P. Q. Nguyen and E. Oswald, editors, EURO- CRYPT 2014, volume 8441 of LNCS, pages 441–458. Springer, Heidelberg, May 2014. 13. J.-S. Coron. High-order conversion from boolean to arithmetic masking. Cryptology ePrint Archive, Report 2017/252, 2017. http://eprint.iacr.org/2017/252. 14. J.-S. Coron, J. Großschadl,¨ M. Tibouchi, and P. K. Vadnala. Conversion from arithmetic to Boolean masking with logarithmic complexity. In G. Leander, editor, FSE 2015, volume 9054 of LNCS, pages 130–149. Springer, Heidelberg, Mar. 2015. 15. J.-S. Coron, J. Großschadl,¨ and P. K. Vadnala. Secure conversion between Boolean and arithmetic masking of any order. In L. Batina and M. Robshaw, editors, CHES 2014, volume 8731 of LNCS, pages 188–205. Springer, Heidelberg, Sept. 2014. 16. A. Duc, S. Dziembowski, and S. Faust. Unifying leakage models: From probing a‹acks to noisy leak- age. In P. Q. Nguyen and E. Oswald, editors, EUROCRYPT 2014, volume 8441 of LNCS, pages 423–440. Springer, Heidelberg, May 2014. 17. L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky. La‹ice signatures and bimodal Gaussians. In R. Cane‹i and J. A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages 40–56. Springer, Heidelberg, Aug. 2013. 18. L. Ducas, T. Lepoint, V. Lyubashevsky, P. Schwabe, G. Seiler, and D. Stehle. CRYSTALS – dilithium: Digital signatures from module la‹ices. Cryptology ePrint Archive, Report 2017/633, 2017. http: //eprint.iacr.org/2017/633. 19. T. Espitau, P.-A. Fouque, B. Gerard,´ and M. Tibouchi. Loop-abort faults on la‹ice-based Fiat-Shamir and hash-and-sign signatures. In R. Avanzi and H. M. Heys, editors, SAC 2016, volume 10532 of LNCS, pages 140–158. Springer, Heidelberg, Aug. 2016. 20. T. Espitau, P.-A. Fouque, B. Gerard,´ and M. Tibouchi. Side-channel a‹acks on BLISS la‹ice-based signatures: Exploiting branch tracing against strongSwan and electromagnetic emanations in micro- controllers. In B. M. ‘uraisingham, D. Evans, T. Malkin, and D. Xu, editors, ACM CCS 17, pages 1857–1874. ACM Press, Oct. / Nov. 2017. 21. C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard la‹ices and new cryptographic constructions. In R. E. Ladner and C. Dwork, editors, 40th ACM STOC, pages 197–206. ACM Press, May 2008. 22. S. Goldwasser, S. Micali, and R. L. Rivest. A digital signature scheme secure against adaptive chosen- message a‹acks. SIAM J. Comput., 17(2):281–308, 1988. 23. T. Guneysu,¨ V. Lyubashevsky, and T. Poppelmann.¨ Practical la‹ice-based cryptography: A signature scheme for embedded systems. In E. Prou‚ and P. Schaumont, editors, CHES 2012, volume 7428 of LNCS, pages 530–547. Springer, Heidelberg, Sept. 2012. 24. Y. Ishai, A. Sahai, and D. Wagner. Private circuits: Securing hardware against probing a‹acks. In D. Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages 463–481. Springer, Heidelberg, Aug. 2003. 25. V. Lyubashevsky. Fiat-Shamir with aborts: Applications to la‹ice and factoring-based signatures. In M. Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages 598–616. Springer, Heidelberg, Dec. 2009. 26. V. Lyubashevsky. La‹ice signatures without trapdoors. In D. Pointcheval and T. Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 738–755. Springer, Heidelberg, Apr. 2012. 27. T. Oder, T. Schneider, T. Poppelmann,¨ and T. Guneysu.¨ Practical CCA2-secure and masked ring-LWE implementation. Cryptology ePrint Archive, Report 2016/1109, 2016. http://eprint.iacr. org/2016/1109.

31 28. P. Pessl, L. G. Bruinderink, and Y. Yarom. To BLISS-B or not to be: A‹acking strongSwan’s implemen- tation of post-quantum signatures. In B. M. ‘uraisingham, D. Evans, T. Malkin, and D. Xu, editors, ACM CCS 17, pages 1843–1855. ACM Press, Oct. / Nov. 2017. 29. T. Poppelmann,¨ L. Ducas, and T. Guneysu.¨ Enhanced la‹ice-based signatures on recon€gurable hard- ware. In L. Batina and M. Robshaw, editors, CHES 2014, volume 8731 of LNCS, pages 353–370. Springer, Heidelberg, Sept. 2014. 30. O. Reparaz, R. de Clercq, S. S. Roy, F. Vercauteren, and I. Verbauwhede. Additively homomorphic Ring- LWE masking. In T. Takagi, editor, PQCrypto 2016, volume 9606 of LNCS, pages 233–244. Springer, 2016. 31. O. Reparaz, S. S. Roy, F. Vercauteren, and I. Verbauwhede. A masked ring-LWE implementation. In T. Guneysu¨ and H. Handschuh, editors, CHES 2015, volume 9293 of LNCS, pages 683–702. Springer, Heidelberg, Sept. 2015. 32. M. Rivain and E. Prou‚. Provably secure higher-order masking of AES. In S. Mangard and F.-X. Standaert, editors, CHES 2010, volume 6225 of LNCS, pages 413–427. Springer, Heidelberg, Aug. 2010.

32 Appendices A Security Proof for rGLP and rGLP with commitment

A.1 Mathematical preliminaries Let us delay the security proof for a bit to expose useful probabilistic tools we are going to use.

Concentration bounds for inner product of uniform vectors. T n T Proposition 1. Let u = (u1, . . . , un) ∈ R a €xed vector and x = (x1, . . . , xn) a random uniform vector of {−1, 0, 1}n. Œen hu, xi satis€es

kuk2s2 h shx,uii 2 E e ≤ e 2 , for any s ∈ R ‘is €rst concentration inequality is classical in the probability literature and asserts that the scalar product between a random uniform vector and a €xed vector yields a subgaussian variable. For completeness purpose we expose a short proof of this claim.

Proof. Let choose s ∈ R, then we have by linearity and independence:

h hu,xii h Pn u x i E e = E e i=1 i i n Y sxiui = E [e ] (Independence of the xi) i=1

n 2 2 Y s |ui| ≤ e 2 (Hoe‚ding Lemma) i=1 2 2 kuk2s = e 2 .

ut

T n T Proposition 2. Let u = (u1, . . . , un) ∈ R a €xed vector and x = (x1, . . . , xn) a uniformly random vector of {−1, 0, 1}n, with Hamming weight at most α, h i 1 Pr |hu, xi| ≥ p4α/3 · kuk ≤ . ∞ 2

‘is second concentration bound gives a more precise result in the case where the €xed vector is sparse. Proof. Denote by I the support of x. By symmetry of the distribution of x, E(hu, xi) = 0, but by linearity and independence:

h 2i X X 2α E hu, xi = u u E [x ] E [x ] + u2E x2 ≤ kuk2 . i j i j i i 3 ∞ i6=j∈I i∈I

We then conclude by Bienayme–Tchebychev´ inequality. ut

34 A reduction from a variant of DCK. In all of the following, for any €nite set S, we denote generically by U(S) the uniform distribution over S. Let us €x γ a positive integer. Let now uγ be the convolution U({−1, 0, 1})?U({−γ, . . . , γ}), that is the distribution obtained when sum- ming two independent random variables U and V , drawn respectively under U({−1, 0, 1}) and U({−γ, . . . , γ}) We extend this distribution to Rγ by sampling independently the n coecients from the distribution uγ , and call it Ueγ

n n Lemma 10. Œe statistical distance between Ueγ and U(Rγ ), is bounded by 2γ + γ2 .

Proof. Let U and V be two independent random variables, drawn respectively under U({1 − γ, . . . , γ − 1}) and U({−1, 0, 1}). We then have directly:

∆(Ueγ , U(Rγ )) ≤ n∆(uγ , U({−γ, . . . , γ})))

X −1 ≤ n Pr [U + V = t] − (2γ + 1) U,V t∈{−γ,...,γ}

X X 1 −1 = n Pr [U = t − v] − (2γ + 1) 3 U t∈{−γ,...,γ} v∈{−1,0,1}

X X 1 −1 = n Pr [U = t − v] − (2γ + 1) 3 U t∈{1−γ,...,γ−1} v∈{−1,0,1}

1 −1 1 −1 + n Pr [U = 1 − γ] − (2γ + 1) + n Pr [U = γ − 1] − (2γ + 1) 3 U 3 U

X −1 −1 1 −1 −1 = n (2γ − 1) − (2γ + 1) + 2n (2γ − 1) − (2γ + 1) 3 t∈{1−γ,...,γ−1} −1 −1 ≤ n(2γ + 1) (2γ − 1) − (2γ + 1)

2γ + 1 = n − 1 2γ − 1 n n < + , 2γ γ2

2γ+1 the €nal domination being obtained by looking at the Laurent development of 2γ−1 .

We now introduce a variant of the DCKp,n problem where the terms s1, s2 are now sampled from the distribution Ueγ .

De€nition 8 Œe S-DCKp,n,γ problem (Summed-Decisional Compact Knapsack problem) is the problem of distinguishing between the uniform distribution over R × R and the distribution (a, as1 + s2) with s1,s2 independently drawn under Ueγ .

Since the support of Ueγ is larger than the support originally used in the DCKp,n problem, it seems natural to suppose that the DCKp,n is somewhat easier to solve than the introduced S-DCKp,n,γ . ‘is intuition is formalized in Proposition 3.

Proposition 3. Œe DCKp,n problem is at most as hard as the S-DCKp,n,γ problem.

35 0 Proof. Any challenge (a, u) of the DCKp,n problem can be transformed in a challenge for (a, u ) 0 for the S-DCKp,n,γ problem by le‹ing u = u + au1 + u2 with u1,u2 independently drawn under the uniform distribution over Rγ−1, by de€nition of Ueγ . Indeed, if u is of the form as1 +s2 0 for s1, s2 drawn independently and uniformly in Rγ , then u = a(s1 + u1) + (s2 + u2), with 0 the (si + ui) independently drawn under Ueγ . If u is uniform in R, then u remains uniform in R.

Collision probability for linear hashing over R.

2 Lemma 11. Let 0 < γ < p and a ∈ R, then for any s1, s2 ∈ Rγ drawn under Ueγ , there exists 0 0 2 0 0 another pair s1, s2 ∈ Rγ such that as1 + s2 = as1 + s2 with probability at least pn 2n 2n 1 − (2γ+1)2n − γ − γ2 .

Proof. Let a ∈ R and de€ne the linear function φa :(x, y) 7→ ax + y. ‘is function maps a 2n n set of p elements to a set of p elements and so any vector in the image of φa admits at most n n 2 0 0 p preimages. ‘en there exists at most p pairs (x, y) in Rγ such that φa(x, y) 6= φa(x , y ) 0 0 2 for every other (x , y ) ∈ Rγ . Hence the probability of uniformly drawn vector not to have a second preimage through φa is at most

pn . (2γ + 1)2n

We then conclude with using the statistical distance between the uniform distribution and Ueγ . ut

A.2 Security proof for the r-GLP signature scheme

In this section, we present a security proof for our r-GLP signature scheme. ‘e inforgability property of the scheme under the hardness of both the DCK and R-DCK problems, is captured by the following theorem:

‡eorem 5. Œe probability that an adversary A, who makes at most qh queries to the random oracle H and runs in time T succeeds in forging a signature for the oracle S0 is upper bounded by: r  (T ) q q δ ≤ DCK +  (T ) + (1 − p ) h + p h + 2 (T ) C R-DCK r pn r (2k + 1)n DCK with: ! √ ! A  n 2  p −2n n C = γ 1 − 1 − − , 32 2γ (2γ) (2γ) and √  2n h −x p p i 2α Aγ = sup 1 − 2e − 4 2(2k + γ 16x/3) x + log n/p , pr = 1 − , x 2k + 1 for 1 ≤ γ ≤ p.

36 Algorithm 21: Signature oracle S0 Algorithm 22: Signature oracle S1 Data: m, pk = (a, t), sk = (s1, s2) Data: m, pk = (a, t), sk = (s1, s2) Result: Signature σ Result: Signature σ $ $ 1 y1 ←−Rk 1 y1, y2 ←−Rk $ 2 r ← ay1 + y2 2 y2 ←−Rk 3 c ← H(r, m) 3 r ← ay1 + y2 4 z1 ← s1c + y1 4 c ← H(r, m) 5 z2 ← s2c + y2 5 z1 ← s1c + y1 6 if z1 or z2 ∈/ Rk−α then 6 z2 ← s2c + y2 $ 7 if z1 or z2 ∈/ Rk−α then 7 r ←−R; Program H(r, m) = c 8 return r 8 return r 9 end 9 end 10 return σ = (z1, z2, c) 10 return σ = (z1, z2, c)

Description of the hybrid games involved in the security proof.

Game G0. ‘is game is the security game of the existential unforgeability under chosen mes- sage a‹ack [22]. 1. (s1, s2), (a, t) ← KeyGen() 2. (m∗, σ∗) ← AH,S0(s1,s2)(a, t) 3. return 1 if (Verify(a, t, m∗, σ∗) = 1 and (m∗, σ∗) has not been returned by the oracle S0) 0 otherwise. ‘e signing oracle S0 is described in Algorithm 21. Game G1. ‘is game is the same one as in G0 except that the Signing oracle is replaced by the oracle S1 described in Algorithm 22: 1. (s1, s2), (a, t) ← KeyGen() 2. (m∗, σ∗) ← AH,S1(s1,s2)(a, t) 3. return 1 if (Verify(a, t, m∗, σ∗) = 1 and (m∗, σ∗) has not been returned by the oracle S1) 0 otherwise. ‘e only di‚erence between the actual signing algorithm and the algorithm in S1 is that in this oracle, when the rejection sampling fails, a fresh commitment value r is generated from the random oracle, independently of the values taken by y1 and y2. Game G2. ‘is game is the same one as in G1 except that the Signing oracle is replaced by the oracle S2 described in Algorithm 23: 1. (s1, s2), (a, t) ← KeyGen() ∗ ∗ H,S 2. (m , σ ) ← A2 (a, t) 3. return 1 if (Verify(a, t, m∗, σ∗) = 1 and (m∗, σ∗) has not been returned by the oracle S1) 0 otherwise. ‘e di‚erence between G1 and G2 is that the returned values of the random oracle H is now n chosen at random from the set Dα, so that this oracle does not use the secret key anymore. Game G3. ‘e game is now slightly di‚erent from the previous one, but the oracle used in this game is still the same, that is S2, described in Algorithm 23. ‘e di‚erence between the these two games mainly lies in the fact that the domain from which the keys are drawn is extended to Rγ , under the distribution Ueγ . We ultimately want to show that a forger against this game can be used to solve an instance of the DCK problem. input: (a, t0) challenge of DCKp,n

37 $ 2 1. (s1, s2) ← Ueγ 2. a ←$ R 3. t ← as1 + s2 4. (m∗, σ∗) ← AH,S2 (a, t) 5. return 1 if (Verify(a, t, m∗, σ∗) = 1 and (m∗, σ∗) has not been returned by the oracle S1) 0 otherwise.

Algorithm 23: Signature oracle S2 Data: m, pk = (a, t) Result: Signature σ $ n 1 c ←−Dα  2n $  2α  2 B ←− Bernoulli 1 − 2k+1

3 if B = 1 then $ 4 r ←−R 5 Program H(r, m) = c 6 return r 7 else $ 8 z1 ←−Rk−α $ 9 z2 ←−Rk−α 10 r ← az1 + z2 − tc 11 end 12 Program H(r, m) = c 13 return σ = (z1, z2, c)

Proof of ‡eorem 5. Firstly we establish indistinguishability results between the games G0 and G1, then between G1 and G2 and eventually between G2 and G3. ‘ese results are formalized in Lemma 12, Lemma 13 and Lemma 14. In a second time we show in Lemma 15 how we can construct a distinguisher for the DCK problem from an adversary that is able to win the game S3 with non-negligible probability. ‘e result of ‘eorem 5 is then a direct consequence of the triangular inequality. Before going into the details of these lemmas and since this result will be used multiple time in the proof, we recall that the probability pr of ge‹ing accepted by the rejection sampling in the signature (or equivalently in the oracle S0.

 2α 2n p = 1 − r 2k + 1

Lemma 12 (Computational indistinguishability of G0 and G1). Let A be an adversary of time complexity bounded by T , having access to either the signing algorithm S0 or the oracle S1, and limited to perform at most qh queries to the H oracle (this count includes the calls that can be

38 performed while calling the signing oracles too). Its computational advantage in distinguishing the signing algorithm S0 from S1 is bounded by: q  (T ) + (1 − p ) h . R-DCK r pn

Proof. Remark that:

1. ‘ere is no statistical di‚erence between the output distribution of the two oracles that are accepted by the rejection sampling (that is so that z1 or z2 do not lie in the set Rk−α). 2. On the one hand, the distribution of outputs of S0 that are rejected by the rejection sampling is by construction the distribution of (ay1 + y2) where (a, c, y1, y2) is uniformly sampled n 2 in R × Dα × Rk, conditioned by the event s1c + y1 ∈/ Rk−α or s2c + y2 ∈/ Rk−α. Such a vector along with a and c constitutes a sample of the distribution of R-DCK by de€nition. 3. On the other hand the distribution of outputs of S1 that are rejected by the rejection sam- pling is by construction the uniform distribution over R conditioned by the event the sim- ulation by the random oracle is perfect and remains coherent. Indeed a‰er yielding the commitment r, the random oracle H is programmed so that H(r, m) = c without checking whether the value r has been already set. But the adversary calls at most qh times the oracle H, at most qh values can be set by the adversary. Hence this distribution is at distance at most: ( ) −n qh Pr [r already set by H] = qhp $ r←−R from uniform.

‘erefore the advantage of A in distinguishing the two oracle S0 and S1 satis€es by the law of total probability:

Pr [A wins G1]− Pr [A wins G0]

( )

≤ R-DCK(T ) + (1 − pr)qh Pr [r already set by H] $ r←−R ( ) 0 ≤ R-DCK(T ) + (1 − pr)qh max Pr [r = r ] r0∈R $ r←−R q =  (T ) + (1 − p ) h , R-DCK r pn where R-DCK(T ) is an upper bound on the R-DCK-advantage of any adversary running in time T (and hence negligible under the R-DCK hardness assumption for polynomial T ). ut

Lemma 13 (Computational indistinguishability of G1 and G2). Let A be an adversary of time complexity bounded by T , having access to either the signing algorithms S1 or S2, and limited to perform at most qh queries to the H oracle (this count includes the calls that can be performed while calling the signing oracles too). Its computational advantage of distinguishing the two oracles of hybrid G1 or G2 is bounded by q p h . r (2k + 1)n

39 Proof. First remark that the parameter chosen for the Bernoulli is exactly the probability of 2n  2α  ge‹ing a valid signature when signing honestly with the secret key that is pr = 1 − 2k+1 . Let us then perform a case analysis, depending on the conditioning by the value taken by the variable B.

– Case B = 0: Let consider the output distribution of S2, conditioned by the event B = 0 (that is only considering the executions where the Bernoulli variable B is set to 0). ‘is distribution is by construction statistically indistinguishable from the distribution of the game S1 conditioned by the rejection of the computed signature. – Case B = 1: Let now consider the output distribution of S2, conditioned by the event B = 1. ‘is distribution is then by construction statistically indistinguishable from the distribution of the game S1 conditioned this time by the acceptance of the computed signature as long as the the simulation by the random oracle is perfect and remains coherent. Indeed once z1, z2 are sampled, the value of the commitment is set a posteriori to ful€ll the equation r = az1 + z2 − tc and the random oracle is programmed to the answer to H(az1 + z2 − tc, m) = H(ay1 + y2, m). If the value for (ay1 + y2, m) was already set, we abort the simulation. ‘us one needs to evaluate the probability that ay1 + y2 = r for a given r ∈ R when y1 and y2 are sampled uniformly and independently in Rk:

max Pr [ay1 + y2 = r] ≤ max Pr [ay1 + y2 = r] r = au + v y1,y2 r∈R y1,y2 u, v ∈ Rk

= max Pr [y2 = r − ay1] r∈R y1,y2 0 = max Pr [y2 = r ] 0 r ∈R y2 = (2k + 1)−n. We eventually conclude by the law of total probability:  2n 2α qh Pr [A wins G2] − Pr [A wins G1] ≤ 1 − . 2k + 1 (2k + 1)n ut

Lemma 14 (Computational indistinguishability of G2 and G3). Let A be an adversary of time complexity bounded by T , having access to either the signing algorithms S2 or S3,. Its compu- tational advantage of distinguishing the two oracles of hybrid G2 or G3 is bounded by

2DCK(T ) where DCK(T ) is an upper bound on the DCK(T )-advantage of any adversary running in time T .

Proof. ‘e di‚erence between the games G2 and G3 lies in the distribution from which the keys s1, s2 are sampled. In G2 they are drawn under U(R1), whereas in G3 they are drawn under the Ueγ . Hence the advantage of the adversary A to distinguish these two games when knowing the values of (a, as1 + s2 is bounded by the advantage it has to distinguish (a, as1 + s2) from the uniform distribution, that is its advantage in solving either the DCK problem or the S-DCK problem. Since using Proposition 3 the advantage in solving the DCK problem is smaller than the advantage in solving the S-DCK problem, its advantage in distinguishing the two games is bounded by 2DCK(T ). ut

40 Lemma 15 (Applying the Forking Lemma to construct a distinguisher for DCK). Sup- pose there exists a forger F, that succeeds in forging with probability δ, who is given the veri€- cation key and access to the signing oracle S3 in the Hybrid G3, is limited to at most qh queries to the random oracle H. Œen there exists a probabilistic algorithm A of same time complex- ity as F, which, for a given pair (a, t) ∈ R2 is able to decide whether (a, t) follows the R- DCK distribution or is made from two independent random samples, with probability at least   2   1 n+1 n δ−α n √ −2n −1 −2
1 − (δ − 3 ) − 3 1 − ( p(2γ + 1)) − n(2γ) − nγ Aγ , where 32 2γ+1 qh √ h −x p p i Aγ = sup 1 − 2e − 4 2(2k + γ 16x/3) x + log n/p . x

Proof. Let us take a, t0 ∈ R the instance of the DCK problem we want to solve. 2 Let us generate s1, s2 ∈ Rγ and the corresponding t = as1 + s2 public key (note that this key is constructed with the challenge element a). We now choose random coins φ and ψ which will be used respectively by the forger and the signer. We also pick the values that will correspond to the responses of the random oracle c1,..., cqh . Let de€ne the algorithm a:

input: (a, t, φ, ψ, c1,..., cqh ) output: A couple message, signature (m, z1, z2, c) 1. Initialize a with a, t, φ. 2. Run F. 3. Each time F requires a signature, a intercepts the call and runs S2, using the random coins ψ as entropy to produce a signature. – During this process, some queries to the random oracle H are performed (by the signa- ture oracle or by F itself).

– In such cases the response of H will be the €rst ci in the list (c1,..., cqh ) that has not been used yet. 4. As soon as F €nishes running return the forged signature (m, z1, z2, c).

−α Let α = 3 be the probability of sampling a particular element uniformly at random in the range of the random oracle H. ‘e routine a outputs, with probability δ, a message m and its signature (z1, z2, c), which by construction satis€es: c = H((az1 + z2 − tc), m). If the random oracle H was neither queried nor programmed with the speci€c input r = az1 +z2, then, by choosing at random in the range of H, the forger has probability exactly α of generating c satisfying the relation c = H(r, m). ‘is implies that with probability 1 − α, c belongs to the list (ci)i. Hence the probability that a succeeds in forging a signature (z1, z2, c) so that c is one of the (ci)i is at least δ − α. Suppose from now on that this is case, and without loss of generality we can assume that this returned values is c1, by simply reordering the (ci)i beforehand. Following the execution ƒow of the procedure a, one can remark that two cases can occur: [R1 ] Either c was programmed directly by F to be the output of H on a certain pair (r0, m0) = 0 0 0 0 (az1 + z 2, m ) when signing the message m . Since (z1, z2, c) is a valid signature returned by the forger, we have:

0 0 0 H(az1 + z2 − tc, m) = H(az1 + z 2 − tc, m ).

41 0 0 0 If m 6= m or az1 + z2 − tc 6= az1 + z 2 − tc then the forger has found a preimage of c1 for H. ‘is event occurs with probability exactly α. One can thus suppose that az1 +z2 −tc = 0 0 0 0 az1 + z 2 − tc with probability 1 − α. Hence by se‹ing u1 = z1 − z1 and u2 = z2 − z2, we have found two elements of norm bounded by 2k such that au1 + u2 = 0, which are 0 0 non-zero otherwise (z1, z2, m) would be exactly the same as the signature (z1, z2, m). [R2 ] Either c1 results from a call to the signature oracle, we store the forged signature z1, z2, c1. 0 0 ‘en replay the algorithm a with the same coins but di‚erent and fresh c1,..., c qh . By the 0 0 general Forking Lemma [6] the probability so that c1 6= c 1 and the forger uses the random oracle response c1 (and the query associated to it) in the forgery is at least   δ − α (δ − α) − α . qh

Eventually, we can produce two signatures for the message m, denoted by (z1, z2, c) and 0 0 0 (z1, z 2, c ), so that the commitment coincides: 0 0 0 0 a(z1 − s1c) + z2 − s2c = a(z1 − s1c ) + z 2 − s2c , that is: 0 0 0 0 a(z1 − s1c − z1 + s1c ) + (z2 − s2c − z 2 + s2c ) = 0. Let us set ( 0 0 u1 = z1 − s1c − z1 + s1c 0 0 . u2 = z2 − s2c − z 2 + s2c

‘e probability of having (u1, u2) 6= (0, 0) is at least ! 1  n + 1 2 p 1 − 2 c 2γ + 1

with √ −2n −1 −2 −1 pc = 1 − ( p(2γ + 1)) − n(2γ) − nγ ≈ 1 − n(2γ) . 0 0 Indeed, by Lemma 11, with probability at least pc there exists another pair (s1, s 2) such that 0 0 as1 + s2 = as1 + s2. Suppose that (u1, u2) = (0, 0). ‘en playing the previous argument 0 0 0 (and so using the same randomness) with the si instead of the si yields another pair (u1, u2). Suppose that this pair is also (0, 0). ‘en we have: 0 0 0 s1(c − c ) = s1(c − c ) 0 0 0 s2(c − c ) = s2(c − c ), 0 0 0 meaning that s1R = s2R = s1R = s2R = (c − c )R 6= {0}, R (indeed, the si can not 0 0 be all zero by construction and if (c − c ) is invertible then we would have s1 = s1 and 0 s2 = s2). Hence this event can occurs with probability dominated by  0  Pr s1R = s2R = (c − c )R ≤ max Pr [s1R = s2R = I] s1,s2 I6={0},R s1,s2 ≤ max Pr [sR = I]2 I6={0},R s∼Ufγ  2 ≤ max n(2γ)−1 + nγ−2 + Pr [sR ∈ I] I6={0},R s∈U(Rγ )  2 = n(2γ)−1 + nγ−2 + max Pr [sR ∈ I] I6={0},R s∈U(Rγ )

42 Hence to estimate maxI6={0},R Prs [sR ∈ I], we fall back to describing the ideals of R. Classicaly, since R =∼ (Z[X]/(Xn + 1))/p its ideals are in (antitone) bijection with the divisors of Xn + 1 mod p. Let then P be a divisor of Xn + 1 mod p, then the ideal generated by P in R has cardinality pn−deg P and the probability that s ∈ (P ) is at most (2γ +1)− deg P . Indeed, the probability of this event is equal to Pr [s = 0 mod P ], yielding the announced majoration since the reduction mod P acts as a bijection when €xing the n − deg P coecients of highest degrees. ‘erefore we get the estimate:

max Pr [sR ∈ I] ≤ max (2γ + 1)−d I6={0},R s d∈{1,...,n−1} = max (2γ + 1)−2d = (2γ + 1)−1. d∈{1,...,n−1}

‘e probability of ge‹ing once again zero elements ui is then dominated by ((n + 1)(2γ + 1))−2. ‘e forger F does not get access to these functionally equivalent secret keys. Since it does not use them for simulating the signing oracle, we will get a non-zero answer with probability at least 1/2, since each key has an equal probability of being chosen by unifor- mity of the generation. We then need to estimate the norm of the vectors u1, u2, which with a certain probability is not too big. Indeed, remark that Proposition 2 and union bound ensures that with probability 1 0 0 q 4α at least 16 , the elements s1c, s1c, s2c and s2c have their `∞-norm bounded by γ 3 , q 16α meaning that kuik∞ ≤ 2k + γ 3 , for i = 1, 2.

All in all, in the case [E1], we can €nd a couple (u1, u2) 6= (0, 0) of norm bounded by 2k such that au1 + u2 = 0 with probability at least (1 − α) anf in the case [E2], we can €nd two q 16α u1, u2 of norm bounded by 2k + γ 3 such that au1 + u2 = 0 with probability at least  2!   1 n + 1 δ − α p0 = pc 1 − (δ − α) − α < 1 − α 2 2γ + 1 qh

Hence, in any cases, with probability at least p0 one can €nd such vectors. Now allows us to get a non negligible advantage in solving the DCK instance, acting as a trapdoor for this problem. Indeed, for the trial (a, t0), given as input, two cases can occur:

1. Either the element t of R is taken uniformly at random, the probability of u1t to be inside n−1 the `∞ ball of radius 2τ is crudely upper bounded by (4τ −1)/(p−1) (indeed, at most p elements can vanish under the action of x 7→ u1x, and for the remaining ones, at most (4τ − 1)/(p − 1) elements per space of dimesion 1 minus zero intersects the ball). 2. Either it is of the form (a, as3 + s4), the multiplication of the la‹er pair by u1 yields:

(au1, au1s3 + u1s4) = (au1, −u2s3 + u1s4). √ √ We can notice that −u2s3 +u1s4 has in€nity norm bounded by 2τ = 2 2kuik2 x + log n with probability at least 1 − 2e−x, for a free parameter x which will be used for later opti- mization. To see this, remark that

Pr [u1s2 + u2s1 ≥ 2τ] ≤ Pr [u1s2 ≥ τ] + Pr [u2s1 ≥ τ]

43 by the union bound. But we have for i = 1, 2, j = 1, 2 and s > 0:

" n # _ Pr [uisj ≥ τ] ≤ Pr {[uisj]k ≥ τ} Coecient extraction k=1

≤ n Pr [[uisj]1 ≥ τ] Union bound

≤ n Pr [s[uisj]1 ≥ sτ] Positivity of s

≤ n Pr [exp (s[uisj]1)) ≥ exp(sτ)] Monotony of exponential E [exp (s[u s ] )] ≤ n i j 1 Markov’s Inequality exp(sτ) s2ku k2  ≤ exp i 2 − sτ + log n Proposition 1 2  τ 2  ≤ exp − 2 + log n 2kuik √ √ 2 ! ( 2kuik2 x + log n) = exp − 2 + log n 2kuik = exp (−(x + log n) + log n) = exp(−x)

‘erefore the distinguisher constructed by testing if the element tu1 lies inside the ball of radius 2τ has advantage √ h −x p p i Ax = sup 1 − 2e − 4 2(2k + γ 16x/3) x + log n/p . x

We de€ne the algorithm A to be the algorithm that €nd the trapdoors elements u1, u2 from the forgery of a valid signature by F and which answer the DCK challenge with the distinguisher above-mentioned. Its running time is at most twice the running time of the forger F and its success probability is at least Axp0, by construction. ut

Remark 6 (Practical considerations). Assuming the computational hardness of both DCK and R- DCK problems, choosing γ = 1664 ≈ 210.70 (resp. γ = 2504) for the small (resp. large) security parameters set ensures a security level of 100 (resp 256) bits.

A.3 r-GLP signature scheme with commitment ‘is part describes the GLP signature scheme combined with the commitment procedure intro- ck ck ck  duced in [5]. ‘e public commitment key ck = 1,1 1,2 1,3 is sampled uniformly at ck2,1 ck2,2 ck2,3 random in R2×3 during the key derivation algorithm. ‘e parameter k0 is set accordingly to 2q the estimation of [5], so greater than 3 . In this variation of the original signature scheme, the value r is hidden through the linear commitment. Hence, even if an a‹acker learn the commi‹ed value f1, f2 by side channel, the computational indistinguishability of the commitment with an uniform distribution ensures that no secret-dependant information could possibly be extracted

44 from this trace. To formalize this intuition we prove like in the la‹er section that one round of the signature scheme with return values even in case of a rejection is EUF-CMA. We now sketch the security proof of this modi€ed scheme.

Algorithm 24: GLP signature with com- mitment Data: m, pk, sk, ck Result: Signature σ Algorithm 25: GLP veri€cation with com- y , y ←−R$ mitment 1 1 2 k m σ pk ck $ Data: , , , 2 u1, u2, u3 ←−Rk0 1 if z1 and z2 ∈ Rk−α and 3 r ← ay + y T 1 2 c = H((u1, u2, u3) · ck + (0, az1 + T 4 (f1, f2) ← (u1, u2, u3) · ck + (0, r) z2 − tc), m) then 5 c ← H(f1, f2, m) 2 accept 6 z1 ← s1c + y1 3 else 7 z2 ← s2c + y2 4 reject 8 if z1 or z2 ∈/ Rk−α then 5 end 9 return (f1, f2) 10 end 11 return σ = (z1, z2, u1, u2, u3, f1, f2, c)

Game G0. ‘is game is the security game of the existential unforgeability under chosen mes- sage a‹ack, where the adversary can ask at most qh hash queries to the H oracle and qs sign queries to the Signing oracle S0 given in Algorithm 26. Notice that the signature includes the random values u1, u2, u3 to open the commitment (f1, f2) of r. Game G1. ‘is game is the same as in G0 except that the Signing oracle S1 is given in Algo- rithm 27. ‘e di‚erence in the signing algorithms is that in the case of a rejection at line 6: the commi‹ed variables f1, f2 are freshly re-sampled, independently from any previous values. ‘is game is computationally indistinguishable from G0 under the hiding property of the commitment scheme (see [5]) by choice of the commitment parameters. ‘is prop- erty relying on the hardness of the R-LWE problem. Notice that the previous argument remains valid as long as the simulation by the random oracle is perfect and remains coher- ent. Indeed a‰er yielding the commitment r, the random oracle H is programmed so that H(y1, y2, m) = c without checking whether the value y1, y2 has been already set. If an ad- versary A running in time T calls H qh times, at most qh values can be set by the adversary and we get:

qh Pr [A wins G1] − Pr [A wins G0] ≤  (T ) + (1 − pr) , RLWE p2n

where RLWE(T ) is an upper bound on the advantage of any adversary running in time T to solve the R-LWE problem. All in all G0 and G1 are thus computationally indistinguishable under the hardness Ring-LWE assumption.

45 Algorithm 27: Signature oracle S1 Algorithm 26: Signature oracle S0 Data: m, pk = (a, t), sk = (s1, s2) m pk = (a, t) sk = (s , s ) Data: , , 1 2 Result: Signature σ Result: Signature σ $ $ 1 y1, y2 ←−Rk 1 y1, y2 ←−Rk $ $ 2 u1, u2, u3 ←−Rk0 2 u1, u2, u3 ←−Rk0 T 3 (f1, f2) ← (u1, u2, u3) · ck + (0, r) 3 r ← ay1 + y2 4 c ← H(f , f , m) T 1 2 4 (f1, f2) ← (u1, u2, u3) · ck + (0, r) 5 z1 ← s1c + y1 5 c ← H(f1, f2, m) 6 z2 ← s2c + y2 6 z1 ← s1c + y1 7 if z1 or z2 ∈/ Rk−α then 7 z2 ← s2c + y2 $ 8 f1, f2 ←−R 8 if z1 or z2 ∈/ Rk−α then 9 Program H(f1, f2, m) = c 9 return (f1, f2) 10 return (f1, f2) 10 end 11 end 11 return σ = (z1, z2, u1, u2, u3, f1, f2, c) 12 return σ = (z1, z2, u1, u2, u3, f1, f2, c)

Game G2. In this game, we replace the Signing oracle by S2 described in Algorithm 28 and take as input a trial of the DCKp,n problem. input: (a, t) trials of DCKp,n 2 1. (s1, s2) ← Rγ 2. (m∗, σ∗) ← AH,S2 (a, t) 3. return 1 if (Verify(a, t, m∗, σ∗) = 1 and (m∗, σ∗) has not been returned by the oracle S1) 0 otherwise. ‘e di‚erence between G1 and G2 lies in that the la‹er don’t use the secret key anymore. n Indeed the returned value of the random oracle H is now chosen at random from the set Dα, and that the acceptance in the rejection sampling is simulated by a Bernoulli trial of param- eter pr, that is the exact probability of ge‹ing a valid signature when signing honestly with the secret key. In the case of simulating an accepted signature, z1, z2 are generated at ran- dom in the space of accepted signature (i.e. Rk−α). ‘en r is recomputed from z1, z2, t, c to satisfy the equation r = az1 + z2 − tc = ay1 + y2. From this value a commitment is constructed as in the real signature and the random oracle is programmed accordingly. Exactly like in appendix A.2, we can prove that the games G1 and G2 are then also com- putationally indistinguishable by the same hybrid argument involving an additional game where the key parameters are stretched. Eventually the exact same forking lemma-based argument concludes the proof by showing how to reduce the adversary to a distinguisher for the DCK problem, concluding the proof. Under the hardness of both the DCK and R-LWE problems, the advantage of the a‹acker is therefore negligible. We can indeed show by indistinguishability that the advantage of the at- tacker in the €rst game is also negligible and then prove the EUF-CMA property of the signature scheme.

B Masked r-GLP with commitment

‘e masking of the key generation remains the same with the additional generation of the public commitment key ck. For the signature, the commitment gadget (algorithm 30) is added. It is a

46 Algorithm 28: Signature oracle S2 Data: m, pk = (a, t) Result: Signature σ $ 0 1 u1, u2, u3 ←−Rk $ n 2 c ←−Dα  2n $  2α  3 B ←− Bernoulli 1 − 2k+1

4 if B = 1 then $ 5 f1, f2 ←−R 6 Program H(f1, f2, m) = c 7 return (f1, f2) 8 end 9 else $ 10 z1 ←−Rk−α $ 11 z2 ←−Rk−α 12 r ← az1 + z2 − tc T 13 (f1, f2) ← (u1, u2, u3) · ck + (0, r) 14 end 15 Program H(f1, f2, m) = c 16 return σ = (z1, z2, u1, u2, u3, f1, f2, c)

matrix multiplication as showed in algorithm 30. ‘e composition is then more complex and have more gadgets. ‘e composition is in Figure7. ‘e whole signature is described in Algorithm 29.

47 DG

u1 H2 FullAdd (u1,i)0≤i≤d (u1,i)0≤i≤d

DG

u2 H2 FullAdd (u2,i)0≤i≤d (u2,i)0≤i≤d (u1,i)0≤i≤d

DG (u2,i)0≤i≤d u3 2 (y1,i)0≤i≤d H FullAdd (u3,i)0≤i≤d (u3,i)0≤i≤d m (s1,i)0≤i≤d

48 (u3,i)0≤i≤d a (z1,i)0≤i≤d

(z1,i)0≤i≤d z1 FullAdd H1 H2 FullAdd DG (f1,i)0≤i≤d f1 (y1,i)0≤i≤d (z1,i)0≤i≤d (ri)0≤i≤d c 1 Hash H Comm RS RejSp

(y2,i)0≤i≤d (z2,i)0≤i≤d (f ) (z ) DG 2,i 0≤i≤d f2 2,i 0≤i≤d z2 FullAdd H1 H2 FullAdd

(z2,i)0≤i≤d

ck

(s2,i)0≤i≤d c (y2,i)0≤i≤d

Fig. 7. Composition of commitment GLP Sign Algorithm 29: GLP masked signature with commitment Data: m, pk = (a, t), sk = (s1,i)0≤i≤d, (s2,i)0≤i≤d, ck Result: Signature σ 1 (y1,i)0≤i≤d ← DG(k, d) 2 (y2,i)0≤i≤d ← DG(k, d) 3 (u1,i)0≤i≤d ← DG(k, d) 4 (u2,i)0≤i≤d ← DG(k, d) 5 (u3,i)0≤i≤d ← DG(k, d) 1 6 (ri)0≤i≤d ← H (a, (y1,i)0≤i≤d, (y2,i)0≤i≤d) 7 ((f1,i)0≤i≤d, (f2,i)0≤i≤d)← Comm((u1,i)0≤i≤d, (u2,i)0≤i≤d, (u3,i)0≤i≤d, (ri)0≤i≤d, ck) 8 f1 ← FullAdd((f1,i)0≤i≤d) 9 f2 ← FullAdd((f2,i)0≤i≤d) 10 c ← hash(f1, f2, m) 1 11 (z1,i)0≤i≤d ←H (c, (s1,i)0≤i≤d, (y1,i)0≤i≤d) 1 12 (z2,i)0≤i≤d ←H (c, (s2,i)0≤i≤d, (y2,i)0≤i≤d) 13 RejSp ← RS((z1,i)0≤i≤d, (z2,i)0≤i≤d, k − α) 2 14 (z1,i)0≤i≤d ← H (RejSp, (z1,i)0≤i≤d) 2 15 (z2,i)0≤i≤d ← H (RejSp, (z2,i)0≤i≤d) 2 16 (u1,i)0≤i≤d ← H (RejSp, (u1,i)0≤i≤d) 2 17 (u2,i)0≤i≤d ← H (RejSp, (u2,i)0≤i≤d) 2 18 (u3,i)0≤i≤d ← H (RejSp, (u3,i)0≤i≤d) 19 z1 ←FullAdd((z1,i)0≤i≤d) 20 z2 ←FullAdd((z2,i)0≤i≤d) 21 u1 ←FullAdd((u1,i)0≤i≤d) 22 u2 ←FullAdd((u2,i)0≤i≤d) 23 u3 ←FullAdd((u3,i)0≤i≤d) 24 return σ = (z1, z2, u1, u2, u3, c)

Lemma 16. Œe gadget Comm is NI-secure.

Proof. Let δ ≤ d be the number of observations made by the a‹acker. ‘e proof consists in €lling an empty set I with at most δ indices in [0, d] such that the distribution of any tuple (v1, ..., vδ) of intermediate variables of the block can be perfectly simulated from the sensitive values

(u1,i, u2,i, u3,i, ri)i∈I (1)

For each observation vh,(h ∈ [0, δ]), we add the corresponding index i in I. A‰er having built I, every intermediate value vh is simulated by the direct computation from u1,i, u2,i, u3,i, ri and the public value ck. At the end, any set of δ ≤ d intermediate variables can be perfectly simulated with at most δ shares of each sensitive input. ‘is is enough to prove that Comm is d-NI secure. ut

49 Algorithm 30: Comm Data: (u1,i)0≤i≤d, (u2,i)0≤i≤d, (u3,i)0≤i≤d, (ri)0≤i≤d,ck Result: (f1,i)0≤i≤d, (f2,i)0≤i≤d 2d 1 ((f1,i)0≤i≤d, (f2,i)0≤i≤d) ← 0 2 for i = 0, ..., d + 1 do 3 f1,i ← ck1,1u1,i + ck1,2u2,i + ck1,3u3,i 4 f2,i ← ck2,1u1,i + ck2,2u2,i + ck2,3u3,i + ri 5 end 6 return (f1,i)0≤i≤d, (f2,i)0≤i≤d

‡eorem 6. masked-glp sign with commitment is still d-NIo secure. Proof. From Lemmas6,7,9 and 16 Algorithms DG, RS, H1, H2 and Comm are all d-NI. From Lemma8, FullAdd is d-NIo secure.

Let us assume that an a‹acker has access to δ ≤ d observations on the whole signature scheme. ‘en, we want to prove that all these δ observations can be perfectly simulated with at most δ shares of each secret among y1, y2, s1,s2,u1,u2 and u3 and the public values. With such a result, the signature scheme is then secure in the d-probing model since no set of at most d observations would give information on the secret values. In the following, we consider this distribution of the a‹acker’s δ observations:

– δ1 (resp. δ2, δ3, δ4, δ5) on the instance of DG that produces shares of y1 (resp. y2, u1, u2, u3) 1 – δ6 on H , – δ7 on Comm, – δ8 (resp. δ9) on FullAdd of f1 (resp. f2), 1 – δ10 (resp. δ11) on H which produces z1 (resp. z2), – δ12 on the instance of RS, 2 – δ13 (resp. δ14,δ15,δ16,δ17) on H applied on z1 (resp. z2,u1,u2,u3), – δ18 (resp. δ19,δ20,δ21,δ22) on FullAdd of z1 (resp. z2, u1,u2,u3) Some other observations can be made on the Hash function, their number won’t ma‹er during P22 P22 the proof. Finally, we have i=1 δi ≤ i=1 +δHash ≤ δ.

Now, we build the proof from right to le‰ as follows.

‘e €ve last FullAdd blocks are d-NI secure, then all the observations performed during the execution of FullAdd on z1 (resp. z2, u1,u2,u3) can be perfectly simulated with at most δ18 (resp. δ19,δ20,δ21,δ22) shares of z1 (resp. z2, u1,u2,u3). 2 2 H is d-NI secure, then all the observations from the call of H on z1 (resp. z2, u1,u2,u3) can be perfectly simulated with δ13 + δ18 (resp. δ14 + δ19, δ15 + δ20, δ16 + δ21, δ17 + δ22) shares of the sensitive input z1 (resp. z2, u1, u2, u3). RS is d-NI secure and do not return any sensitive element, then all the observations per- formed in gadget RS can be perfectly simulated with at most δ12 shares of z1 and z2. So, a‰er 1 H , the observations can be simulated with δ12 + (δ13 + δ18) shares of z1 and δ12 + (δ14 + δ19) shares of z2.

50 1 1 H is d-NI secure as well, thus all the observations from the call of H on y1 can be perfectly simulated with δ10+δ12+δ13+δ18 ≤ δ shares of y1 and s1. Respectively, on y2, the observations can be perfectly simulated from δ11 + δ12 + δ14 + δ19 ≤ δ shares of y2 and s2. Both €rst le‰ FullAdd gadget are d-NIo secure and do not return any sensitive element, then all the observations performed from this gadget can be perfectly simulated with at most δ8 (resp. δ9) shares of f1 (resp. f2). ‘e gadget Comm is also d-NI secure, then all the observations performed a‰er this gadget can be perfectly simulated with δ7 + δ8 + δ9 shares of u1, u2, u3 and r. ‘e le‰ H1 gadget is d-NI secure, thus all the observations from its call can be perfectly simulated with at most δ6 + δ7 + δ8 + δ9 shares of each one of the inputs y1 and y2. DG is also d-NI secure, thus we need to ensure that the number of reported observations does not exceed δ for y1, y2, u1,u2 and u3. On one hand, at the end of DG for y1, y2, the simulation relies on (δ6 + δ7 + δ8 + δ9) + (δ10 + δ12 + δ13 + δ18) ≤ δ shares of y1 and (δ6 + δ7 + δ8 + δ9) + (δ11 + δ12 + δ14 + δ19) ≤ δ shares of y2. With the additional δ1 (resp. δ2) observations performed on the €rst (resp. the second) instance of DG, the number of observations remains below δ. On the other hand, at the end of DG for u1, u2 and u2, the simulation relies on (δ8 +δ9)+(δ15 + δ20) ≤ δ shares of u1, (δ8 + δ9) + (δ16 + δ21) ≤ δ shares of u2 and (δ8 + δ9) + (δ17 + δ22) ≤ δ shares of u3. With the additional δ3 (resp. δ4, δ5) observations performed on the DG on u1 (resp. u2,u2), the number of observations remains below δ which is sucient to ensure security of the whole scheme in the d-probing model. ut

51